2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
Size

320KB
MD5

bca6144a6b4042fa542cc789b02423b3
SHA1

bc0d9ee6ee0244b86466b4f1c0511c06386a3bb3
SHA256

2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1
SHA512

780e14bef0e47a3cfe8561e26268ffa0b4b34beb472f9c606160ac60ebe9f093832df0f1f194ba34a3afefefea44abb55f003e5066174342bd822ee1407003af
SSDEEP

6144:heHwXUU5EYCTvaBjRjWrLJKuKnGML5NjcxFSH:hyMUusvalgg5NjaFSH

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RXG5H8S\\DSC8L5S.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\RXG5H8S\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	service.exe
2780	smss.exe
2676	system.exe
2152	lsass.exe

Loads dropped DLL 6 IoCs

pid	Process
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016abb-115.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sXG0R2W0 = "C:\\Windows\\system32\\FXW5G1YCGP3L4K.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0L5SGP = "C:\\Windows\\TWJ0R2W.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\N:	service.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\systear.dll	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\MKO0T8H.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E\FXW5G1Y.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L4K.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\MKO0T8H.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\MKO0T8H.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E\FXW5G1Y.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L4K.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E\FXW5G1Y.cmd	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E\FXW5G1Y.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E	system.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L4K.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L4K.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\MKO0T8H.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E\FXW5G1Y.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\MKO0T8H.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\VMO0R1E	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L4K.exe	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RXG5H8S\system.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	service.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	system.exe
File opened for modification	C:\Windows\TWJ0R2W.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\RXG5H8S	lsass.exe
File opened for modification	C:\Windows\lsass.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\CGP3L4K.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\RXG5H8S	service.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	service.exe
File opened for modification	C:\Windows\moonlight.dll	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	system.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	lsass.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\CGP3L4K.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	smss.exe
File opened for modification	C:\Windows\CGP3L4K.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	service.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	smss.exe
File opened for modification	C:\Windows\TWJ0R2W.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\MYpIC.zip	system.exe
File opened for modification	C:\Windows\TWJ0R2W.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\CGP3L4K.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	smss.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\TWJ0R2W.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\RXG5H8S	smss.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\CGP3L4K.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S	system.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
2632	service.exe
2780	smss.exe
2676	system.exe
2152	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2632	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	28
PID 2056 wrote to memory of 2632	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	28
PID 2056 wrote to memory of 2632	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	28
PID 2056 wrote to memory of 2632	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	28
PID 2056 wrote to memory of 2780	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	29
PID 2056 wrote to memory of 2780	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	29
PID 2056 wrote to memory of 2780	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	29
PID 2056 wrote to memory of 2780	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	29
PID 2056 wrote to memory of 2676	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	30
PID 2056 wrote to memory of 2676	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	30
PID 2056 wrote to memory of 2676	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	30
PID 2056 wrote to memory of 2676	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	30
PID 2056 wrote to memory of 2152	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	31
PID 2056 wrote to memory of 2152	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	31
PID 2056 wrote to memory of 2152	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	31
PID 2056 wrote to memory of 2152	2056	2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe	31

C:\Users\Admin\AppData\Local\Temp\2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe
"C:\Users\Admin\AppData\Local\Temp\2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\RXG5H8S\service.exe
  "C:\Windows\RXG5H8S\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Windows\RXG5H8S\smss.exe
  "C:\Windows\RXG5H8S\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Windows\RXG5H8S\system.exe
  "C:\Windows\RXG5H8S\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CGP3L4K.exe

Filesize
320KB

MD5
20e26acff14650df6a0d8a1969bda998

SHA1
0ed2f1dd6f9b5440d54bfcb9a747a68e74a48ec2

SHA256
c96275e35432063076716ce909aa7c25dff7d0a0d64972fa1d51b389e61b691d

SHA512
b40b03084f895e6660f28be7dff5afa39df0977a572c7e12113bb7e0a1727d504fbc145b74d5c8be0817a23684a36fdaf708db701501c19bd6235a7105d8860e

Download Submit
C:\Windows\CGP3L4K.exe

Filesize
320KB

MD5
22f386a76b90a9b557dec656aa3ac61f

SHA1
63d49cf4d25a605271a3a098a0412cb7cd2c6967

SHA256
850a5ce24129972d43a8592fcadf4171378f801f413f41fa292000b2940f0aeb

SHA512
333c89cf3f5da4b6764728e4febd702c7ef41345952eae699ea32b33276dd4246e5d617f5747872dffbceedd0c85d25a431351e789abea3f7da8f0f998fadee3

Download Submit
C:\Windows\RXG5H8S\QTQ0U7N.com

Filesize
320KB

MD5
c6b9fd89a561af318be668b937316b64

SHA1
2ed426b4f1a1db0619e5dfdc004af19b693dbda6

SHA256
f4b113cb6d34a26d72805dd7d782e555eab860bb74728af906ac43d7f5379226

SHA512
a940f038e48e80e29b1ba38d6755bb5c5e7f8f29b60b53b0a3c3154c63941290000ec4ac1bd60f1775720efcc43e23153d518107e6f9ade42bb269b0b3bb602b

Download Submit
C:\Windows\RXG5H8S\service.exe

Filesize
320KB

MD5
136bf58207eb4a1c3422aea178839f4a

SHA1
c35aaf2e5ced3930b8a66f0fd4afa5444b7e2e93

SHA256
177f153c7d8848bdf3c36eda19433c7b9c5f206096d272938e493b96a6cb3742

SHA512
9db6bd2d9afdb47c54d0c55d4f4dc55910bff861d76cbda1e99778ec2d5cb6165ddeb30874e589e87169015e59cb7e1964ea03a467d89df9669ff4d5c912074f

Download Submit
C:\Windows\SysWOW64\FXW5G1YCGP3L4K.exe

Filesize
320KB

MD5
e3f47af366fe8b294271bd45835590aa

SHA1
62ea89a5f12ff41f7976799cdd473e20e3b6cb5b

SHA256
a5d140f7ce772e52e6aac482772366276eba8c99f5c57889ee88e6d52ef4e419

SHA512
7f06f560af997fcee100328b0e9f4cad360b03fc3eee5c2cc7faed2271a3c4128aae96a26b3bbf223342b9ca2a20accd8ed5a2c8b3c02bce269499b01c0714bb

Download Submit
C:\Windows\SysWOW64\MKO0T8H.exe

Filesize
320KB

MD5
4ac8107e905fc6a165e464d0464e3ef5

SHA1
bc0f895e54816997549edb6cdfedb27c90042fbe

SHA256
2efbd1a4e8db2e4bd1aec8a45f332422d60e8744f6acc31434c7882e4857da1a

SHA512
266ec78bdcf304338b172258d16d8ce2287e36ce3a3473eb1e36e3493af64748ec6fa787c86c2a4c12ef96aa3f530498a6d546aaa4df0a4a0a36e89b31b983dc

Download Submit
C:\Windows\SysWOW64\MKO0T8H.exe

Filesize
320KB

MD5
fee07778a717de28afc3fcbb44e37ed5

SHA1
7765c1213b566bddef7e900143efb9bd94deb172

SHA256
2299b5f37d14fc8bc480d39ee2ddfd6dd5632be8c5fc8941b9e0878e4666c859

SHA512
1aba92723e04481c7b5055dcd67221447496f23ee97ff7b6d5c1119763f816c9b4494796fc1f3e27ae7d51711e1efbd7bf18602568ed71f5d6f093a4c853e970

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
e3a28ca734f0df07447caa9f7d7b1f71

SHA1
eed1e3ac95bc2bc17bc685724249f2a739574574

SHA256
00258e0e89fdef848d0322fbdd10094063f1ade12839dea0983e8d5a574ceb0e

SHA512
0a99c90c3b067449eaadddcc5bdf8a3403466e8639a5ffce53f46b723d76fa1027426db764a2b101009c926dc179411a771aad99b1e21922e75ce851ba95e3d0

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
caca32ff099499df76e5acfa7c58cbf1

SHA1
aab297f54b27668749f4050bc20bc6a20b828577

SHA256
888a833a5dcded94cb99fd2b2ae5e27316f9438109e447f90759d7421269c7ec

SHA512
35a48b0185bdc44b4bf2b5af76954b5b558c0eaf87dfd8a369a33e2fdae28313fb5d03594a88ff2913de365453e72cb0105ffcbd5db862933379f4932ff22e71

Download Submit
C:\Windows\TWJ0R2W.exe

Filesize
320KB

MD5
4382067c485336e0470e2852635fce71

SHA1
06c45163f9c282448a2ace8de449db87ff45298d

SHA256
8fefeb25ef15aac4a7aec6a7943f869ad9cb8992bdc85507fe36ea220305b8d8

SHA512
a1be53e6033533263b4a1830156ab7ce83aa148c5149cd9829bc400eb947293974f85b88930e0abf7f29e19fc4377e5c5582c90f470f72b2c907f3fe57a3b76d

Download Submit
C:\Windows\TWJ0R2W.exe

Filesize
320KB

MD5
e4f171c33bf9e083749633d1ab530b9d

SHA1
f63d22d478174cb048d5fb37815e8ce0929cfd54

SHA256
b2d4b9777fb7987e314b8963b575bb5425b23f699acea605da608af90cd020ef

SHA512
6ff64c3f7b15482eda8349d974cea72b66f1b5de79a4f43a8b29d4f08ef52e2124e5983e494b6fdacd1915d39626aaa25101713f320f883f2c544b6bb94c0a1a

Download Submit
C:\Windows\TWJ0R2W.exe

Filesize
320KB

MD5
a1c2858dd5e7e64dc68efefcf160b899

SHA1
b389a4b7627dbfbc89175386aba8d2b56973472b

SHA256
18aebcdae1fd198c5f18219b410eb811c6e4c6694fdacb28df4a6512f7fee979

SHA512
627192ab8443498f171798360e556157463462c3820f17406d55b71178071b23c5c274bb201eb69f9ebf9f7ff493cd1a21e83b856354015a834bc45ff2c5fbb7

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
0928ffe3a68eaa83e73e9a7bfcfb188f

SHA1
0d75ea59cea8d884bb8ca193a07f1d382a8bf44a

SHA256
9e26c92c0860f1c5a0642a13b4cd7dba4d1a0d255982b1f30029c606f6614059

SHA512
8692ac112859c896041866eae9bb1d3340876a00f90a5d0a970dfee2b259402f030809cc4d4aaa966763925a37cd01bb37763faf513877735f4d7059e32d446f

Download Submit
C:\Windows\lsass.exe

Filesize
320KB

MD5
4d0331724b0e88a5e2b47eccb705c9fa

SHA1
90df1a3d26057a2fb9626ae59e033f922548349b

SHA256
bda6378e3f02fe63cb819dfb378612b5b994016fa5746ae5f5e942526c58c27c

SHA512
03311901e8cc24b8ced40e87b529d3f261db309477550e9c872a8a6f7c6beefcb79ff0b05edcc56b9e6350ef0eaec05e451568d15f6ee6da7c2c1f84c0efce0f

Download Submit
C:\Windows\lsass.exe

Filesize
320KB

MD5
9b5086ba3d41385e6d35954633c1c2ef

SHA1
6fe9a18cfcf83b8ac58c4dba49c47f1c5c1b5514

SHA256
3fea766416a537dc0a4e3b1f7d1780de85645c26316e69decdfa67c1ff48bdfe

SHA512
53bd3ca0b00c1b372e61fc793fac587ed16ec98832acf8ff927f2776bac3d11b2fbfa7c04ed7c1289e3d7c0bede7d708ecb96fa11cfd8edbe8cdf58676ceaadd

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
df12c22c15e5d20bcba0a947d32c76dc

SHA1
e30fed1d8aab5dee6184e5bff65f2a3ba7c4a4f0

SHA256
21863c3aef99b11328b3f2d5469d86c5cce53a78b1e47958571bdcb17931e627

SHA512
e8811587bd716debe9c223b72fbe87c804b10d690f962c2696d6e76272685cf865d3c7c440f5a87712d6f2107d2a2d28c413ddd1d7dcb451d4b54d58b4bb6366

Download Submit
\Windows\RXG5H8S\smss.exe

Filesize
320KB

MD5
bca6144a6b4042fa542cc789b02423b3

SHA1
bc0d9ee6ee0244b86466b4f1c0511c06386a3bb3

SHA256
2d599a3d6c0d8d45802f7fb6de2500422cc9d9272ee976f590f5c575fc9c46e1

SHA512
780e14bef0e47a3cfe8561e26268ffa0b4b34beb472f9c606160ac60ebe9f093832df0f1f194ba34a3afefefea44abb55f003e5066174342bd822ee1407003af

Download Submit
\Windows\RXG5H8S\system.exe

Filesize
320KB

MD5
f7b71873f0e92da5b9ea819ec70476da

SHA1
82803cc5c67684e2709d73a0ddc1f0161239c937

SHA256
4b149ebcb040e0df9dd3f468eec426a228f9f67cd94d30c3437f1ba0224acf66

SHA512
3e0fbbcc4edbaab6ca3ed69ee6c6329a767ccd6cf3432379b6036cce70b8fc47c95c463cb5443e1b3ed885588ec78dfa890259fc03f015a1514942a2d648cae4

Download Submit
memory/2056-47-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/2056-174-0x0000000003BC0000-0x0000000003C12000-memory.dmp

Filesize
328KB

Download
memory/2056-55-0x0000000003590000-0x00000000035E2000-memory.dmp

Filesize
328KB

Download
memory/2056-177-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2056-172-0x0000000003BC0000-0x0000000003C12000-memory.dmp

Filesize
328KB

Download
memory/2056-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2152-176-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2152-220-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2632-217-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2632-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2676-219-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2676-212-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2676-215-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2676-216-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2676-211-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2676-78-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2676-221-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2676-222-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2676-223-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2780-218-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2780-66-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads