7859a5996c7be955954ddb4577dc436de3a5b9ac3c72f449ec36cd9c6d8cab07

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f4687a755b165e8cb71c8b07179700.exe
Size

585KB
MD5

42f4687a755b165e8cb71c8b07179700
SHA1

3a0e4bdba15af65a67e408ea9e2667adf33576d2
SHA256

7859a5996c7be955954ddb4577dc436de3a5b9ac3c72f449ec36cd9c6d8cab07
SHA512

af6482ed9c826286d1d264bf8f456cdf086efc2f4ae753f474ad7bf04c8e465e88547d7b15fc602cf932a93d8d5dd03883d0ed5cd91ebee1c559896b110843b2
SSDEEP

6144:LeHwXUU5EYCTvaBjRjWrLJKuKnGML5Njcxmu3ijWrLJKuKnGML5Njcxgu3hjWrLI:LyMUusvalgg5Njam8g5Njagxg5NjagZ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E\\MFL2V0E.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

Executes dropped EXE 5 IoCs

pid	Process
2736	service.exe
2376	smss.exe
2448	system.exe
1944	winlogon.exe
2840	lsass.exe

Loads dropped DLL 7 IoCs

pid	Process
2864	42f4687a755b165e8cb71c8b07179700.exe
2864	42f4687a755b165e8cb71c8b07179700.exe
2864	42f4687a755b165e8cb71c8b07179700.exe
2864	42f4687a755b165e8cb71c8b07179700.exe
2864	42f4687a755b165e8cb71c8b07179700.exe
2864	42f4687a755b165e8cb71c8b07179700.exe
2864	42f4687a755b165e8cb71c8b07179700.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015cff-210.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sJP3D5I0 = "C:\\Windows\\system32\\OJI8P4KLPY7U7T.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0V0EPY = "C:\\Windows\\GIS3D5I.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\E:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N	lsass.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\EDG6L5W.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\EDG6L5W.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N	smss.exe
File opened for modification	C:\Windows\SysWOW64\EDG6L5W.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\EDG6L5W.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\HWX4D5N	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\EDG6L5W.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\EDG6L5W.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LPY7U7T.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\LPY7U7T.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\GIS3D5I.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2V0E.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	lsass.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2V0E.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2V0E.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2V0E.exe	lsass.exe
File opened for modification	C:\Windows\LPY7U7T.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\CFC4G1W.com	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2V0E.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	system.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2V0E.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	smss.exe
File opened for modification	C:\Windows\GIS3D5I.exe	smss.exe
File opened for modification	C:\Windows\LPY7U7T.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\CFC4G1W.com	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\DJP0Q3E	service.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	service.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\DJP0Q3E	system.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\DJP0Q3E\MYpIC.zip	system.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	42f4687a755b165e8cb71c8b07179700.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	smss.exe
File opened for modification	C:\Windows\DJP0Q3E	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	42f4687a755b165e8cb71c8b07179700.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2864	42f4687a755b165e8cb71c8b07179700.exe
2736	service.exe
2376	smss.exe
2448	system.exe
1944	winlogon.exe
2840	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2736	2864	42f4687a755b165e8cb71c8b07179700.exe	28
PID 2864 wrote to memory of 2736	2864	42f4687a755b165e8cb71c8b07179700.exe	28
PID 2864 wrote to memory of 2736	2864	42f4687a755b165e8cb71c8b07179700.exe	28
PID 2864 wrote to memory of 2736	2864	42f4687a755b165e8cb71c8b07179700.exe	28
PID 2864 wrote to memory of 2376	2864	42f4687a755b165e8cb71c8b07179700.exe	29
PID 2864 wrote to memory of 2376	2864	42f4687a755b165e8cb71c8b07179700.exe	29
PID 2864 wrote to memory of 2376	2864	42f4687a755b165e8cb71c8b07179700.exe	29
PID 2864 wrote to memory of 2376	2864	42f4687a755b165e8cb71c8b07179700.exe	29
PID 2864 wrote to memory of 2448	2864	42f4687a755b165e8cb71c8b07179700.exe	30
PID 2864 wrote to memory of 2448	2864	42f4687a755b165e8cb71c8b07179700.exe	30
PID 2864 wrote to memory of 2448	2864	42f4687a755b165e8cb71c8b07179700.exe	30
PID 2864 wrote to memory of 2448	2864	42f4687a755b165e8cb71c8b07179700.exe	30
PID 2864 wrote to memory of 1944	2864	42f4687a755b165e8cb71c8b07179700.exe	31
PID 2864 wrote to memory of 1944	2864	42f4687a755b165e8cb71c8b07179700.exe	31
PID 2864 wrote to memory of 1944	2864	42f4687a755b165e8cb71c8b07179700.exe	31
PID 2864 wrote to memory of 1944	2864	42f4687a755b165e8cb71c8b07179700.exe	31
PID 2864 wrote to memory of 2840	2864	42f4687a755b165e8cb71c8b07179700.exe	32
PID 2864 wrote to memory of 2840	2864	42f4687a755b165e8cb71c8b07179700.exe	32
PID 2864 wrote to memory of 2840	2864	42f4687a755b165e8cb71c8b07179700.exe	32
PID 2864 wrote to memory of 2840	2864	42f4687a755b165e8cb71c8b07179700.exe	32

C:\Users\Admin\AppData\Local\Temp\42f4687a755b165e8cb71c8b07179700.exe
"C:\Users\Admin\AppData\Local\Temp\42f4687a755b165e8cb71c8b07179700.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\DJP0Q3E\service.exe
  "C:\Windows\DJP0Q3E\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Windows\DJP0Q3E\smss.exe
  "C:\Windows\DJP0Q3E\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Windows\DJP0Q3E\system.exe
  "C:\Windows\DJP0Q3E\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\DJP0Q3E\winlogon.exe
  "C:\Windows\DJP0Q3E\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DJP0Q3E\CFC4G1W.com

Filesize
585KB

MD5
e614ba957dee22cb7d51fec79d435259

SHA1
027de4fd9b0a9e2fab947fee4acffdb018639eb0

SHA256
8b33b3805bf5c36d3436c7939a1d3828f3542be397fa92c4a1acf0ac1dc138a5

SHA512
e338d898313310d03719a2be14dbb4d9e758f3847a31bd4731aed64f1d3b12c6005b87e0f7f37356d8a2a926d06ff2288022d516e07cdfaa486b64a0d46941c2

Download Submit
C:\Windows\DJP0Q3E\CFC4G1W.com

Filesize
585KB

MD5
f3b011cc4b29e459fe16185e8fbe99ee

SHA1
9c71b632bee1a91e0da5d20fbda1c7c98f9e0bb4

SHA256
3cad98b4b7b30f454dad20b533dc3a656b415049437e6cd4b4cefa1ab9eb0e76

SHA512
ca2a0b4c65dce8674cff209c0fcade47627e61156c618d5bb70c72ba190c0aa621d74012703b2ef07a2e93c1fb3c83e9aa6bbcd6dbed5117fe504fdd52a9c7f9

Download Submit
C:\Windows\DJP0Q3E\CFC4G1W.com

Filesize
585KB

MD5
0df4ecfdac08e26c63661f803f13bad1

SHA1
3ae0bf1e5d634876646aaa3a77a1704f4432ae2f

SHA256
0660d573cf67fb2d0baa7ef2e55c83525454bedbe27206a044fe3541257c18ec

SHA512
5191bca13cea355873d4b92a581bbb37e4ce66a0dfa4fe524b5f979c1337d959f4fbbe4eb9d1882157bdd865daef74411c166cd0b1f9f38a3074a8e878cf107f

Download Submit
C:\Windows\DJP0Q3E\regedit.cmd

Filesize
585KB

MD5
42f4687a755b165e8cb71c8b07179700

SHA1
3a0e4bdba15af65a67e408ea9e2667adf33576d2

SHA256
7859a5996c7be955954ddb4577dc436de3a5b9ac3c72f449ec36cd9c6d8cab07

SHA512
af6482ed9c826286d1d264bf8f456cdf086efc2f4ae753f474ad7bf04c8e465e88547d7b15fc602cf932a93d8d5dd03883d0ed5cd91ebee1c559896b110843b2

Download Submit
C:\Windows\DJP0Q3E\service.exe

Filesize
512KB

MD5
7529257bf59dc27da9b277eeef9354ee

SHA1
2972ed5a39e842cc745f89664ba99b0cc3cb1283

SHA256
fbcf7024a2c2ebb10b4d691e8fe5c058f39415a62814b2f0d35f0fbebcb1ec2b

SHA512
e9916f4186ce66259191ed84a18c031a991cf47c8ce1ad99b8bd2d3336db75cf0658143698c851c3367a25f1bde34be166dd7d741296057f7f09740bebdd12d5

Download Submit
C:\Windows\DJP0Q3E\service.exe

Filesize
585KB

MD5
af27d6136944b50a00fe5986020f1512

SHA1
397e70b479b04724f0ef18deadd94d3c8ef54176

SHA256
02009cab12bbe4e42992c3d4479493eb7e20bdd058eef1f33b4ba5f63a60fe67

SHA512
396a3e892718792aa30f300af983f0cd6f9b910d277ad0b230b45cb5346fca446349947ac7cefb78849dc850775356f864f7a35c177b940de176b14df647c0d1

Download Submit
C:\Windows\DJP0Q3E\winlogon.exe

Filesize
585KB

MD5
56bbfaf63813e1e405dbef536c3bcc26

SHA1
d02a3e85e02050e368b2cf5ddca1b49a10d1f6d4

SHA256
448b38f0598d439ce757b015ae5e8bbe007f426deeb88690d487ce1029b6e342

SHA512
2a626b96ccca26dfff622e307a199c44970f2455601a0f57844ebd0d419e97b9be15f04c56f162983a96e332f22e2ba4fadc61489ce2df9a8f4454d470413a08

Download Submit
C:\Windows\GIS3D5I.exe

Filesize
585KB

MD5
062966709ede6facbcd4443db5aeb2fe

SHA1
4d5253a48f33707c80eedc1d63cd2dd1ef8d0ebf

SHA256
5842a55f877fa8a958b996435338107958cf02c652906335aab697dc09a255fa

SHA512
82800d7f3610da4a21a2205c407bbccd275271e1e864fd541ee5a3c8952d529e75255d0be4327a4beaa06283a71d86b5d0f737ea6008554a8e84c0d2f5baef1e

Download Submit
C:\Windows\GIS3D5I.exe

Filesize
585KB

MD5
7cce64243d7fc347500618c44e9497a2

SHA1
eed3f9a84e6b04b34ca98b93dbc38b823f23f330

SHA256
36c8c4cfd4c8fa356a0aaa51adc4670fa5756f24fb1b72b015f6d3193aa84ca6

SHA512
22ab25d9cbfbccdf89b648cc4f68379b816684da83ff115ecd32187ec3659ddfbe1c811473beef7b574ded3b5a199c97b3302136ab079db286a6e09c7f9e4ed6

Download Submit
C:\Windows\GIS3D5I.exe

Filesize
585KB

MD5
6ee31b669dbae510db5f2270464d0872

SHA1
8a9f728688d73a53236e410d9897f2e2c576af64

SHA256
47d9801717d5130722d4cf6a2d0f8601a774a3d17be0c732458c76e3ca102635

SHA512
64e4cfd9be6bb93cec99ba62b6f1159932713ec9088529ed2c646296759df16e50e6f84c376d40cfcdc6848da1bca3200f6c40600f26c6679fa9267e0bca2f41

Download Submit
C:\Windows\LPY7U7T.exe

Filesize
585KB

MD5
f7b6be09a5e0f78d391c2d8db94261e3

SHA1
49d91a19a09f44d883ac52d3b93a956bdd45a9a1

SHA256
d968e54fe38698cf917cbb37fe16b50dd2535ba70c8394e2999a8225fd71127c

SHA512
edc81f2cd9310356f6107112f6943a2f38230befbe7b44aad9044dc880f5c945c072c56268ee7b93f96347fedf10bb241b78b419cd9d692803c2f5ab11882fbe

Download Submit
C:\Windows\LPY7U7T.exe

Filesize
585KB

MD5
8e9c6f0a3f8144c3bde7125ff9241bc8

SHA1
b1f381fbe83187b1357c761feb4b9a17c1491e31

SHA256
e4352c7c81f2830745ab3b349800cc3144af5764cf417b5e6fcbf6af403a4fbe

SHA512
0e9bb86243f1461cb83319214ca3db7929b29dfe0562faa1c7a36c4bfa8f3e03367cdb12acdb8f1cc0c6ee8c21d0cff4ac1e398ec4d6e487cdd37f48045b75ec

Download Submit
C:\Windows\SysWOW64\EDG6L5W.exe

Filesize
585KB

MD5
94bb303f2577d5501d056605048756f8

SHA1
f4b0a7262c71c0f26e1867a3219b04c396ff16c6

SHA256
5d7063f2465fb7cc09d1e138b5fc55911538fa546c074a20b1cda53143e43e84

SHA512
f36c182f8c55bcd074f8f5cb8d809294231eb789624fd282f5ecbfe09e49db4e077f6240cd841b94562eb4b4dc699cc0dcf08c449c22d54f386977fbbae04fd1

Download Submit
C:\Windows\SysWOW64\HWX4D5N\OJI8P4K.cmd

Filesize
585KB

MD5
5bd2640d8a91e2c790a93ea0802ba0c9

SHA1
a7aa9c2990f499a4dcaaca5549f2c04ee6bda98e

SHA256
26691a729931071d0ce270032e58d89a899e403521fa23a56ca4bfa65f556f02

SHA512
a03c5bd49b428fb7a18d895e7b07976e2a678eebe9ba6ec4bd982c4cacb8b962c6fe4b427219c12770ac5b8f681b972ab35a3b544072d375687026237e176295

Download Submit
C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe

Filesize
585KB

MD5
1e840402cf265f4531fe813ca61d2df3

SHA1
ad7cc221018d68362833d7f365160976b9dfb132

SHA256
d41f95f4a83bf51e80d88b9f846b28ce2b372ac170910ccd50f070339ea552a2

SHA512
b7c47e7fab6f3c87da62c8bebd9f75c5eeb660e2754c3081c78dc1e3182ad8c0a187b1f3c503160b10ba9ca57eb30533dc4cc04e50122a6d628801a45cacf62b

Download Submit
C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe

Filesize
585KB

MD5
91096f71ab9595da57e9139af9478181

SHA1
3d019d4f75f33b8bc9485783cd1fa3a09de1b293

SHA256
ad2735bf5946d19c9d735894c91c57ba664199d5577ba616b5aacc199205cc31

SHA512
227d6c4bb9b11105687457424ecdfb23f1f1c4fd1d38b6f9440a5abc3c83a9301efd3c324cb786fcad0d79314a875dffd1e1486037b9fbdf3550473dafd72464

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
da32c00cd3f82a1e907dae0c35f3953e

SHA1
8ce604da2ab196a13863a09dbdd5786834c71daf

SHA256
254f0d41b64579eb78b7d103f775d44dc6ca5d2805cbc30cfeeb42ac857a4e60

SHA512
19a464ff85594ba1c538171cff34cc1ed34cb5902719591efef9c6569fdef22ee8b74ead61833d6bc7e1536bb10fecbe1bb3b10116e4535712d5449b288706f9

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
a3a4b9d0e6a68c629644e2cbc2cb80d3

SHA1
a80269d86c8f1586b17a89c68cf0c38c9d2fa870

SHA256
7c0438c40169d7369d8cd189f9c3c5e6bf345d0330529a99902aafa7df297cb3

SHA512
cc5615a473d9f5d75f541ac91e43e1f726a5a5f18afbacac5e531da93e8e6299e8b56073f8d5f5ea58244b02db71ea4a6d2a6b1ac50201495b1f9ccb6351b7d1

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
222412a7b673f2ecdc4ff160c9fa978c

SHA1
9917fd91cb58b99d38bd73a5a806fb8e97415f68

SHA256
d51b2923593321a3d413c512e622774a8cc1589366284096aee06468a1dca159

SHA512
5701792206f9e9ae977b60d547b8ce953718c847c2c25158a4135dbc5877cb7b5dfcba7e3aaebf8ffb983bfe64b21a6985af978e088bc60071aee7f349b8f927

Download Submit
C:\Windows\lsass.exe

Filesize
585KB

MD5
92e82ac6bc4b0b6ff74e9516dc0fde78

SHA1
69a4706b3b5937e7ee1ddf01b4597ea1787affc3

SHA256
8c991d09cd6871de60158a50100fd4448a4f10d95bb4c4c69c1c2f2a5b8d7bd8

SHA512
56996d4ff4ac6a9c830d28f8a041297257add4d289a705103665d1e39b3f70dfd1ce721f5992b29dcdb2cad8af4bf057f0f547b0fcf1a4a4b2727af4739255ce

Download Submit
C:\Windows\lsass.exe

Filesize
585KB

MD5
23c1bb8aba338cf690afc90d27248b13

SHA1
66d17b0ebaa75081275387cf67be34ddbbb64869

SHA256
c1afb6ca097978a6f8dadedd9a5c6dbfc667e5d35a41ce01fbef2b2dfb19c7e9

SHA512
262fb040b4ff41428a5fd299bacbb673eebb159c1ca3bf1e818c0b75e724810945b34ba9a675b94a23b2bed070af4abe81b39cb69d30c7019790d6f24dc40a1b

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
498f7d112a7663cb7d204f8bab8a4689

SHA1
dc034d93e9253698dc6452fad90a2ef79fb02e2c

SHA256
6e6fcf24cc1f77da8f432ae1c43e20e79761c4f584cbad410c44b3a54e3e5d45

SHA512
0cc4da260f8377c9e68f32aa07bdd13c2aa33a5578fea1e220a8f25ae5670dcccfddb65c693c3bade6191adb2ff25f505ebc9f6cdae83422413c7ddda620fcc5

Download Submit
\Windows\DJP0Q3E\smss.exe

Filesize
585KB

MD5
4f3c643e93bfc13c62f77901a43a25a1

SHA1
7a1b7db37c846b74c3d7d9738b81967099604c79

SHA256
a4ee74a08d917965156b8b4410728363cd83c9cdda3dd77f5a2aab8d91c1d2a1

SHA512
9de6f5f587249fd74dd1cad8e17b6eb7465d44c71a0283673b85c596e5e9e67e4a5cd6920cd59dfe3d3757161f3a476bde358829dcf1b632a0fba7d8f564dba5

Download Submit
memory/1944-112-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1944-239-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2376-78-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2376-237-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2448-241-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2448-89-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2448-242-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2448-238-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2448-235-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2448-234-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2448-233-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2736-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2736-236-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2840-207-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2840-240-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2864-208-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2864-53-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/2864-55-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/2864-70-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/2864-76-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/2864-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2864-205-0x0000000003CC0000-0x0000000003D12000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads