b24082496752d0ead8b747742671c5d60e8b7d12dc5b9cfa15ec57a5e61d53f4

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e65a52b438cadc584634998e229f00_NEAS.exe
Size

441KB
MD5

58e65a52b438cadc584634998e229f00
SHA1

a4019c54288ce433cc59ea4b0ea4c25e21c81c6f
SHA256

b24082496752d0ead8b747742671c5d60e8b7d12dc5b9cfa15ec57a5e61d53f4
SHA512

19422c34748dfded71898d75d16415b597b04c5ec4c4a551d38d23546400a85b84853bfcd8ecddb9e33738d5270f83f901846edadfd9daac004c947d48198f71
SSDEEP

6144:2eHwXUU5EYCTvaBjRjWrLJKuKnGML5NjcxFSsQLH5Ab:2yMUusvalgg5NjaFSsPb

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\HMS1T4H\\QIO4Y1H.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\HMS1T4H\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	58e65a52b438cadc584634998e229f00_NEAS.exe

Executes dropped EXE 5 IoCs

pid	Process
2296	service.exe
532	smss.exe
1860	system.exe
2260	winlogon.exe
4564	lsass.exe

Loads dropped DLL 3 IoCs

pid	Process
1860	system.exe
1860	system.exe
1860	system.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023bb7-147.dat	upx
behavioral2/memory/1860-310-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sMS5G7M0 = "C:\\Windows\\system32\\SNL1S6NOTF8Y8W.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0Y1HTF = "C:\\Windows\\JLV5G7M.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\S:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\YXE5J4T.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\YXE5J4T.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\YXE5J4T.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\YXE5J4T.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\YXE5J4T.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q	service.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q	system.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KCD5H6Q	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\YXE5J4T.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cypreg.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H	service.exe
File opened for modification	C:\Windows\HMS1T4H\service.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\GJG5J3D.com	service.exe
File opened for modification	C:\Windows\HMS1T4H\QIO4Y1H.exe	smss.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\HMS1T4H	lsass.exe
File opened for modification	C:\Windows\HMS1T4H\MYpIC.zip	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\system.exe	service.exe
File opened for modification	C:\Windows\JLV5G7M.exe	service.exe
File opened for modification	C:\Windows\JLV5G7M.exe	smss.exe
File opened for modification	C:\Windows\HMS1T4H\GJG5J3D.com	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\HMS1T4H\service.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\regedit.cmd	service.exe
File opened for modification	C:\Windows\HMS1T4H\smss.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\OTF8Y8W.exe	service.exe
File opened for modification	C:\Windows\HMS1T4H\regedit.cmd	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\QIO4Y1H.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\system.exe	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\JLV5G7M.exe	lsass.exe
File opened for modification	C:\Windows\OTF8Y8W.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\HMS1T4H	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\QIO4Y1H.exe	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\system.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H	smss.exe
File opened for modification	C:\Windows\HMS1T4H\system.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\HMS1T4H\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\HMS1T4H\smss.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\system.exe	system.exe
File opened for modification	C:\Windows\HMS1T4H\winlogon.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\regedit.cmd	system.exe
File opened for modification	C:\Windows\HMS1T4H\system.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\winlogon.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\smss.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\service.exe	service.exe
File opened for modification	C:\Windows\HMS1T4H\smss.exe	smss.exe
File opened for modification	C:\Windows\HMS1T4H\winlogon.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\HMS1T4H\service.exe	lsass.exe
File opened for modification	C:\Windows\lsass.exe	58e65a52b438cadc584634998e229f00_NEAS.exe
File opened for modification	C:\Windows\HMS1T4H\service.exe	winlogon.exe
File opened for modification	C:\Windows\HMS1T4H\smss.exe	winlogon.exe
File opened for modification	C:\Windows\OTF8Y8W.exe	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\HMS1T4H\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\HMS1T4H\regedit.cmd	smss.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\OTF8Y8W.exe	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4956	1860	WerFault.exe	86
540	1860	WerFault.exe	86
3916	1860	WerFault.exe	86

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	58e65a52b438cadc584634998e229f00_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
876	58e65a52b438cadc584634998e229f00_NEAS.exe
532	smss.exe
2296	service.exe
1860	system.exe
2260	winlogon.exe
4564	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2296	876	58e65a52b438cadc584634998e229f00_NEAS.exe	84
PID 876 wrote to memory of 2296	876	58e65a52b438cadc584634998e229f00_NEAS.exe	84
PID 876 wrote to memory of 2296	876	58e65a52b438cadc584634998e229f00_NEAS.exe	84
PID 876 wrote to memory of 532	876	58e65a52b438cadc584634998e229f00_NEAS.exe	85
PID 876 wrote to memory of 532	876	58e65a52b438cadc584634998e229f00_NEAS.exe	85
PID 876 wrote to memory of 532	876	58e65a52b438cadc584634998e229f00_NEAS.exe	85
PID 876 wrote to memory of 1860	876	58e65a52b438cadc584634998e229f00_NEAS.exe	86
PID 876 wrote to memory of 1860	876	58e65a52b438cadc584634998e229f00_NEAS.exe	86
PID 876 wrote to memory of 1860	876	58e65a52b438cadc584634998e229f00_NEAS.exe	86
PID 876 wrote to memory of 2260	876	58e65a52b438cadc584634998e229f00_NEAS.exe	87
PID 876 wrote to memory of 2260	876	58e65a52b438cadc584634998e229f00_NEAS.exe	87
PID 876 wrote to memory of 2260	876	58e65a52b438cadc584634998e229f00_NEAS.exe	87
PID 876 wrote to memory of 4564	876	58e65a52b438cadc584634998e229f00_NEAS.exe	88
PID 876 wrote to memory of 4564	876	58e65a52b438cadc584634998e229f00_NEAS.exe	88
PID 876 wrote to memory of 4564	876	58e65a52b438cadc584634998e229f00_NEAS.exe	88

C:\Users\Admin\AppData\Local\Temp\58e65a52b438cadc584634998e229f00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\58e65a52b438cadc584634998e229f00_NEAS.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\HMS1T4H\service.exe
  "C:\Windows\HMS1T4H\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2296
- C:\Windows\HMS1T4H\smss.exe
  "C:\Windows\HMS1T4H\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Windows\HMS1T4H\system.exe
  "C:\Windows\HMS1T4H\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1172
    3⤵
    - Program crash
    PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1376
    3⤵
    - Program crash
    PID:540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1368
    3⤵
    - Program crash
    PID:3916
- C:\Windows\HMS1T4H\winlogon.exe
  "C:\Windows\HMS1T4H\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1860 -ip 1860
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1860 -ip 1860
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1860 -ip 1860
1⤵
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HMS1T4H\GJG5J3D.com

Filesize
441KB

MD5
8e7c34d169cb4c9a91f42fe088c158e9

SHA1
a7fcb1502ab583c02505683150017899a51a9646

SHA256
c04a3738000e1b91e0d87aa119a0f90049a44c4f302c649acd8090b7d41a9171

SHA512
c854f51530d78b45f8a24474501dc79d4b9183ff2f8bd278a378cfbec70dce3896313037ced50f8f259b726f7f4464c7dad9b85572b2e883631943459aedf29a

Download Submit
C:\Windows\HMS1T4H\GJG5J3D.com

Filesize
441KB

MD5
0362295d6a77a7f61788e4879d202a6f

SHA1
0ff098866890462d0289db6dfb38235e7c5bdd33

SHA256
ea04cdb650a38a1ad37b5547fa8a228c8b378e4b8f3218a5c7f51c501c0a481d

SHA512
1eecdcf6c07e9d4b96b51cf0d79e8b11edc754475fb669de26fc07b6a2c00248fd6b4e082b94ac54f2451510f7580ce8b2de9fbaa5fa07cfab4457c5a774223a

Download Submit
C:\Windows\HMS1T4H\QIO4Y1H.exe

Filesize
441KB

MD5
e9a6cf1d3d8f5b945a0b0fc2e343914d

SHA1
16163c1af96d9367962aa0fbd627e2fbb8608db5

SHA256
8d0a5a3a32fd8ac7c5efca2916e5066a6b01d4cd88dbc6ff1c0ca1fb2957c03e

SHA512
e998dfb211cf513b881b80b3a207e722d220151e54446463ffd10e7c159b127ecf1b4a2a245f7c291a7e4d5a70a664994db620045d241b990cddf929638b144f

Download Submit
C:\Windows\HMS1T4H\QIO4Y1H.exe

Filesize
441KB

MD5
fad020dde6e2ed0eb08f01bb454474ff

SHA1
ca4d7b3d62072a055dc0078631823390487002d2

SHA256
c0e92765338648f19cc2c515ce44a962a1310fd350a8a2641c71afa34016097c

SHA512
64a6e8510c35c9a484ef09d3112e2017004fe96d61b65b47db354f8afce8c9550aa0de02d4726e83c3106e4c4cf3f36178c5e6082cd01a54b59e6970f6149157

Download Submit
C:\Windows\HMS1T4H\QIO4Y1H.exe

Filesize
441KB

MD5
3363ff23da8974f046a22eb4ae9ae7a0

SHA1
a04b7eb28437c01ad615a4d04241f6f9fddd988d

SHA256
b04cc24974cecd248580218d89cd1a1acbe8b7d170b50f8e4b4904e0696c88aa

SHA512
1c0f87a1c9709e5f1d5541cdb339b5dc869e838082b281232d2bd3b7238e3b0eb711f530ab1d92dfcb0dd040c9f20450859adf23654a81d78ad8fec2b076eb0d

Download Submit
C:\Windows\HMS1T4H\service.exe

Filesize
441KB

MD5
70c2d13256c9ced4119f6f0162477eb8

SHA1
56a67b84f8ae11f94abeb9e27fb73ba42c371583

SHA256
9d806d7f6987788aa3c6ea71cffb81b0b897ce6132bfe899eb3b4c1fe29b3059

SHA512
9c0c98d5888294e62cee1c31009d3fa2c5327acf45c0de163aed1eca039de6bec5bfece04a14bf1477cc1dd82261e80299f9ab58ee1e7604b6e50542199e45a1

Download Submit
C:\Windows\HMS1T4H\smss.exe

Filesize
441KB

MD5
a798579d9710cefd99d59b30816281b2

SHA1
b08a0b7c7264fe5ab0b61b9e8362d81b04dd58d5

SHA256
a1283b6c954e5ad1a467be5398f1a5f518370cfaceeb1a4e8ad04c503867c184

SHA512
ae204e986e3685bc43a54d1f2a569cc41da7b3ed4874e4f16b9638891916b71f9fa96aa0ffd60430c37f6d6173901b1c93fdcd58e13d2a737dcb5091d0f671ac

Download Submit
C:\Windows\HMS1T4H\system.exe

Filesize
441KB

MD5
1d8eb23c897943fefcf153001c2f39ea

SHA1
bd271b79c33e66e0619390c29cd319ba1f31646f

SHA256
907377a1d088f7aa02e95865de37822727f89165d1ade3a0abea154ea0f1f4c5

SHA512
34751d0f54dc738830bd028d004eb3a6c03c0d5bda9637ebda45f3b0eea1f2759e7bb377498ad9276f7e226dc330a99c05f35201c5974b8c5bb8718abf0e5951

Download Submit
C:\Windows\HMS1T4H\winlogon.exe

Filesize
441KB

MD5
5d523791d8e9f01b63fe12e55e2db527

SHA1
d31943ac29534f9d0ff9bcbc95b41b31d46a9077

SHA256
ea8de4bc04987ab20ce42f3ca1f40cadda1c5e233e0618a43b34637e222c8132

SHA512
abbd60ab999e8bf9edbefe766e220fd4693d3424f467e4a690337991a56f24c2310b587f152fe14e1a692804ad397159acdbe563a23b83c89d3c581d8f35b3bc

Download Submit
C:\Windows\OTF8Y8W.exe

Filesize
441KB

MD5
d315d5c59b859002eee8e9abb2327ded

SHA1
4e07dfd417a720628eb1502eab201325c58e1075

SHA256
97eef628da9bb0ad817717d26b5870087c772d31fb20386b5eb78066a90bd49b

SHA512
f4c8428a209b54400d72261a0cf8946efafadf11f0dec7f210038cc4ea8e2fdeb69648933035ad01950bed65a4334dbc36648e2aaf5c73db8fa93d6f3b0216a7

Download Submit
C:\Windows\OTF8Y8W.exe

Filesize
441KB

MD5
ad1b2270fee9fdf4d2ef48c5585011cb

SHA1
e797b4adf05e0ce51286b173e32ae0a311b601f2

SHA256
bd00a66a6fbf7eeafc59185fcd97b2e7832f7c7866ee17096b66977d532347de

SHA512
5c8866a59d01ab8fc3b134a97b58a67c731b0137266def1c4bb85edb53acc38e6e8b9fe1f64d7bb3794d1b27b1f08fd4a0fbdaf237112e4836e307dbbee55bc9

Download Submit
C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd

Filesize
441KB

MD5
457fbfa60e7ba982d9ecaef1b69cd484

SHA1
a6a8810e3186bb6188f51c32fabb61567166b47e

SHA256
d2945bb3eae2a06fab8b974a2924c12eb5409406b0ef338a701f5702b7624f4f

SHA512
31523a00c909ab1f50cded7dd0cd955cf7d7889aa6473119cdb6f083efe529934eca1e4541b1ea44a4d298ef4ba8a2dbfa1feb1e7e774337f54949b73a26bc89

Download Submit
C:\Windows\SysWOW64\KCD5H6Q\SNL1S6N.cmd

Filesize
441KB

MD5
976981feda7be1f64f71e9f6e8db7c07

SHA1
5d909bd55bd496a6f2bab4df50f539ab27c13739

SHA256
6eb6a84743ea3e7d0d810fe632c0c01b67bb25d909f84786293a75d262b216bc

SHA512
f26e5fd5e20c4d4b801b051ebd08fca02826fe4f25c292988a2104319ae98294f111aa429d8dc3d01e514011a9a87defff42074c509ba0bd6f64ec0a2baaf0b8

Download Submit
C:\Windows\SysWOW64\SNL1S6NOTF8Y8W.exe

Filesize
441KB

MD5
8f4f4d70dac5c886fcc9037abf382a30

SHA1
62a4ec56b541bbdb3fa21e061462bcd1147cb67c

SHA256
cc2d04185427dbbde3ddb85dfdfa97458cab1ce2922f412e4017997255871a51

SHA512
3fdf5eeaa7245e115a6436dbc774393db5d7c36cdf9f89fc416f51ad25b92bec93e22cec6cfdbcdee84d4b21d4f9bd430f303bd0a48c3f4c984906ec341dee74

Download Submit
C:\Windows\SysWOW64\YXE5J4T.exe

Filesize
441KB

MD5
8e63805d219d57b985446181e7a6abdb

SHA1
f62ec5fdd3a0514ff1544562e85c9fd037bd58c7

SHA256
43bfca179a687c170f1f197d8dd506849c3174c351ad8ec65dfbfccc0ced4680

SHA512
1dc6677181107d75dacabf4fa5a700a78df6ced2a77f309ca00d93e0fc1e4f0d79d7928ee2f1e688e5377e5c00ee71dec14e4aa3962eac80e31435b059214fdc

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
e10f9e4b67d3bb418c144d36485a96c2

SHA1
2bbf8116de97ab1c3c13b22663fd96cf1675a1bd

SHA256
60cef26c3c596e0be944db20cb57d623b05c05edf8968b675ae5070d8e593329

SHA512
9c7a9f9f039434145d6f60e10dd85dac98f3945ea8bc3ed57fc7db37119a78f264f8c75192ce28c437d7c9cdcf49cda3ff224f3959a5e95c5c10c36d6de5648a

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a1bf37a96dda42f4cb4f6e00f83d3652

SHA1
626ec09716d6e5d104a3ca49e358e781b3c89e34

SHA256
1241ef4fc0d153d8846bddad1400aec8e1cef0e38a455a9781d38d2f7e22e390

SHA512
f62fb3dcc066be9e2b02251737ef147a13adf2838bdfbcd03a33461003a46318538ebf820e80890cbb40ffc08b0f79638ff5e21414910aef52ee2a567f8109bb

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
016153e7d87da4663906542e9984ed56

SHA1
98bcd3fa50dfe9cc40e7cfc6d2473676bdfe1c78

SHA256
ff8e86e1e77eabbbd74fbac06432a73af90663e4ec1ca8083a94cf10adadbd30

SHA512
1e8990ccdf6857cabdec0abaeba1ac68cd67f769ff2a9c40d13bbc09980895793284c861bbd5ced0557cddbe5efd92d07f9f339bdf30d1935a80f0af21a30093

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
3901a79afc3ed429cd22c85474ed7ef7

SHA1
e93632ee1d9aad007dd3eac5a7298e81aa8c42f3

SHA256
b79cf2c7b87a0210f25c39c3ae1ea72df7b46a11575fdde8fea5f626790d581a

SHA512
797dd0e992262de121e3361a046ccc29b3b25cc75a2d4f97b0c633ae8ff7227d571d7504d9bb64d6791f97f1f89062c43d7b0e34f9271c95b8592b5e68247af2

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
0465802f99a2971dbc61fbb19a8ac1fe

SHA1
d282f13fa629c144620ec2bfee64347c5d9140ee

SHA256
b26b7b79e0c1ddc76a0a245b670b5e9d635abeede20ccf6bc5d883301a888d60

SHA512
b9b54f3e1168ba8e966f7747ea440d9d98d9fc66d250c70ebdb3461c372db89d07295f1ad086f9fe51f75f5bf74902da3b13bdfca4affbf4bcd3dd57fbc167c4

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
fb968ca39188d121abdab76a8bcc7a6d

SHA1
0e14f0cab411a797490c605aff74c62f3535b5cd

SHA256
5ffff190be72cfbe43713b790938d4050f76ac8d623c69c8ca07e5012e8d5b56

SHA512
b6364304c8ba3773a5bc783c4230a3fcb7ce2fff376d98d37b5b24958136fca3328ebc87c6757dfde567f485322b863c71c5fc2b4edfc23b2996b34e7c3fa26c

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
58e65a52b438cadc584634998e229f00

SHA1
a4019c54288ce433cc59ea4b0ea4c25e21c81c6f

SHA256
b24082496752d0ead8b747742671c5d60e8b7d12dc5b9cfa15ec57a5e61d53f4

SHA512
19422c34748dfded71898d75d16415b597b04c5ec4c4a551d38d23546400a85b84853bfcd8ecddb9e33738d5270f83f901846edadfd9daac004c947d48198f71

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
1127e0e3782de6b29c03522b0ea47194

SHA1
b970ad930bb1d70bc685024d110cac2468ae53c8

SHA256
0cd20cddae0290b2be85ae0b3e8f567ef73a1bac48a8f2ae3a204b13f9821d39

SHA512
8cfb67f24988202ebc7c5117fef2a2e553de86351c33b587cca8ccfe0a52bfbc0694b1e6fa027df007b3c0e35e5a60e2a367be2a4438bb49e0a560781770b8fe

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
3437e10753a2babaf912e7f35933cc46

SHA1
ba859ede6f76ea2fa04af875ad50b53b8c5e269a

SHA256
121a3871efbfe54e2914cb90453ba26af3df816b936c7136d23c1799789b43eb

SHA512
b3c85402b16951ad87d7379929be8b303953ea420f3537128304b8f882db353274caab8996c52a4ba994a99ede2ca87b704bf7ea286dae46b8d7fda775d6f510

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
3b039cfcb4049f9ddb4d6a89825ba89b

SHA1
db124e3221b89df324b8cce304dbc50baa313145

SHA256
8081e0930368fdd7a905846cc989b12886187812fb20842ba13264b5a1cee097

SHA512
c2caaaa9d072f778abc1ebfea190082234b93e521912fd021e3bb3e8edb23fc7f9cb9e7a5ca5ef028659e1369484815122d11844946c3ef6658104349020eeb6

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
121c6d3c64d63e8bcefaf599acfd9ed5

SHA1
97273b1d544a2ba345eb118de55431fe25e03ee0

SHA256
27b91e8f5888115fcabcc721905935555dee46f5c8e1bff2a2f6ee7b8dd74009

SHA512
d1b0d63d08ee04f37999a86a6f0cd7e151d3bd74432c3052668d9c0ee8f0d0d681e74fe58beca534e1166f58b7fe578fa7105f37b0f8d707e46615337315b362

Download Submit
memory/532-74-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/532-317-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-288-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1860-123-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1860-310-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/1860-318-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2260-124-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2260-319-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2296-316-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2296-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4564-308-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4564-320-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads