974c3a24a0957fe01a7529af455d7aa67554e11cf0312433666529cd1727c747

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6be5fba9ee1e92845b21eba0adf2d40N.exe
Size

441KB
MD5

b6be5fba9ee1e92845b21eba0adf2d40
SHA1

61ad80eb5e3f15fede5823da28f913e63237501b
SHA256

974c3a24a0957fe01a7529af455d7aa67554e11cf0312433666529cd1727c747
SHA512

1c67d15c60d328e717e398857fbadd2c0b72da835b76f7db08cdc44c9813e4c716a1e58f64f2679691c11da7e1371b007b9e9cf4b73f5a423ee93a4006352874
SSDEEP

6144:PeHwXUljWrLJKuKnGML5NjcxFSsQLH5AQ:PyMU0g5NjaFSsPQ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RXG5H8S\\DSC8L5S.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\RXG5H8S\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

Executes dropped EXE 3 IoCs

pid	Process
2824	service.exe
2744	smss.exe
1624	lsass.exe

Loads dropped DLL 4 IoCs

pid	Process
1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe
1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe
1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe
1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sXG0Q2W0 = "C:\\Windows\\system32\\FXW5G1YCGP3L3J.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0L5SGP = "C:\\Windows\\TWJ0Q2W.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\Y:	service.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5G1Y.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5G1Y.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5G1Y.cmd	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5G1Y.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5G1Y.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RXG5H8S	smss.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	smss.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\lsass.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\CGP3L3J.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	system.exe
File opened for modification	C:\Windows\CGP3L3J.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\CGP3L3J.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	system.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	lsass.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	smss.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\smss.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\service.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\MYpIC.zip	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\RXG5H8S\winlogon.exe	service.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	system.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\QTQ0U7N.com	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\RXG5H8S\DSC8L5S.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\CGP3L3J.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\RXG5H8S	system.exe
File opened for modification	C:\Windows\RXG5H8S\system.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\CGP3L3J.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\RXG5H8S\regedit.cmd	service.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	system.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\RXG5H8S	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6be5fba9ee1e92845b21eba0adf2d40N.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe
2824	service.exe
2744	smss.exe
2004	system.exe
1624	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2824	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	30
PID 1288 wrote to memory of 2824	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	30
PID 1288 wrote to memory of 2824	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	30
PID 1288 wrote to memory of 2824	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	30
PID 1288 wrote to memory of 2744	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	31
PID 1288 wrote to memory of 2744	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	31
PID 1288 wrote to memory of 2744	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	31
PID 1288 wrote to memory of 2744	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	31
PID 1288 wrote to memory of 2004	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	32
PID 1288 wrote to memory of 2004	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	32
PID 1288 wrote to memory of 2004	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	32
PID 1288 wrote to memory of 2004	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	32
PID 1288 wrote to memory of 1624	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	33
PID 1288 wrote to memory of 1624	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	33
PID 1288 wrote to memory of 1624	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	33
PID 1288 wrote to memory of 1624	1288	b6be5fba9ee1e92845b21eba0adf2d40N.exe	33

C:\Users\Admin\AppData\Local\Temp\b6be5fba9ee1e92845b21eba0adf2d40N.exe
"C:\Users\Admin\AppData\Local\Temp\b6be5fba9ee1e92845b21eba0adf2d40N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\RXG5H8S\service.exe
  "C:\Windows\RXG5H8S\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2824
- C:\Windows\RXG5H8S\smss.exe
  "C:\Windows\RXG5H8S\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2744
- C:\Windows\RXG5H8S\system.exe
  "C:\Windows\RXG5H8S\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2004
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CGP3L3J.exe

Filesize
441KB

MD5
41d677b63207954e5306bfebb45fcfed

SHA1
6bb532d40fdcc62ba39d5184d2ab9190c992980a

SHA256
868d3dae4b47f9ef9891d5db978fdc9bf3fa5a80e8b7ca3c63b169d904f006e7

SHA512
4be71a2907b8e00d645e4f75515a02439a614a993ab1bb0a1738306ffc080a03389581b5931862a224eb35d3432116058b5ce5b1af27563a0e61cb3fb626d1de

Download Submit
C:\Windows\RXG5H8S\DSC8L5S.exe

Filesize
441KB

MD5
1e02b9707a4f7707ee14843add3672f7

SHA1
b08dc8e93ac449fadab51db349d9092e1788ceca

SHA256
84e83dffe9e911fd5d7f733217ab9db5ac50381be702bb3ddfc76a20a963d548

SHA512
d3cd795a7d68192c8a4d3d052815f1dccb7dd1834ff9e6a60473960e30fe561ff49e0fe8ebe28350198562b18e0c6cb442988bb73af135384204e854bc3d29c6

Download Submit
C:\Windows\RXG5H8S\QTQ0U7N.com

Filesize
441KB

MD5
5ed8186b22c93d10044c836a7bc59f41

SHA1
c40c11e884104a8f53db7413ac4f8f290091258c

SHA256
6ac8933b7c770a4665422303eb15080cc00eae8667fd9e06614312dfea14b826

SHA512
28f10a2db96389207c93b1d1424451dbcac2bf50e9cbef8bc87e3fd57c87a3a871aea6d717549a7e3861d0384ccff1f57618defb6eb66c988e7cd81e71c4e2d5

Download Submit
C:\Windows\RXG5H8S\QTQ0U7N.com

Filesize
441KB

MD5
d6ee83c391cba02a6101ccc61a75d6d6

SHA1
d9a37388f8edffc570de6eb2aec7fdb5784cc02a

SHA256
0be849b0846c0a4b10f248a562da7c15813415aa4fa48c2829efa22f34bcc450

SHA512
8cecce7c7a052dc8a06dc28814a12b4dca1275bc0119c44b3b9d8cf73ff4d23fa084ad98dd21f25febdb188b90ca19ae78eea51c165b953b81f0f9451923d5e8

Download Submit
C:\Windows\RXG5H8S\regedit.cmd

Filesize
441KB

MD5
f2b3d1c1f347cd23cf2a47db714b3750

SHA1
01a1c1479c7ebb1b6d018e6de90214e7a66763f5

SHA256
f2a77a0ab3da752ac4b3b64e0e731f63541a086537014bba945c98fa6f5a334b

SHA512
da821214f5794b7eeeeb7e3c8cc42537e59ebb203dcf06bc57e8f6f943add0c354e86e7e4a202626b5fd1977d7af384a2053e81f5ebfcdeb3613e575571902df

Download Submit
C:\Windows\RXG5H8S\service.exe

Filesize
441KB

MD5
42aa69ffdd7c1dab678fa5158d086c24

SHA1
cfb7641043a88e5305094183a598eaca4438d993

SHA256
a36847d6f5b728c66480f5b12e303c1cb94615e766e76e36e689ae74aa8302ab

SHA512
0bbb7a265fc20443241e8ef29f6e931e577e50af675d78f8a20febe70cceb028d0a76def2a1cdb7647bcf7417f234a280dbe83ac40a9ab1defa3b817faf640bb

Download Submit
C:\Windows\RXG5H8S\smss.exe

Filesize
441KB

MD5
f6da0c207f72b6eed24ab13b85d75ffd

SHA1
a0341db4a6724b7f1a27e7d7529f9bf08ab696fc

SHA256
e9742beeac1199189e0f0b4bec3bac90e32bf3c79b5d9de06187d643d4556824

SHA512
8ec740284e3338c3f2605e93adbd3c5d5f7294c0fd1636a39733260585827ea2332525378a9a3898be6eddcc7b2c65be4f72832738f584a4cdffc33a75e71fa0

Download Submit
C:\Windows\RXG5H8S\system.exe

Filesize
441KB

MD5
f14eb9f498da65be3d2816d916ecb03f

SHA1
f62e32fa12bc3cadb88997d8fef3365da00907ab

SHA256
38ce7efc428b5b00d3cf1bd927abe65fd96ca56b7b629a77f2ddd2d9c903f418

SHA512
61fd1f3ba4951e577de2ceecf85935303a546673537202934f4c4cd52bf109bf9fcbd5bd151770b63240a1ec3a2de940637fa83cea218e9490a9c0720a0c36af

Download Submit
C:\Windows\RXG5H8S\winlogon.exe

Filesize
441KB

MD5
d1b6491f26710584db2e08a573ea835d

SHA1
f964557103b4e7f391a1e94bd97239580a1e99e8

SHA256
4d8c17e3243c7ddd38664a0a015d8c26db359d026f6b3a17fee54c13c122edef

SHA512
e82d63d50cb87c8779ecfdc33ba623dcbf37ebebe42f6a082dcb6cb3e936976cee507796479dc45c899a8aa0c6af92835736462e69103f2a071660d264be929c

Download Submit
C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe

Filesize
441KB

MD5
c3d57a5c34e372202b972f5fcdff04fd

SHA1
a1dc5d4e99bd3535b8fb9268b0fb388d75775fc7

SHA256
feebae542f3cc9201be00aff7a0a9468848b9c8007ef351193aeeca9f7f12f7d

SHA512
3c44b6044cce05bc66bbc9879730df12a49f71d5c72b2ff494f8dccecc6d03ca58b7079ef69203c3eac2933f138082c244bd272223fda6b88af01a2340139a76

Download Submit
C:\Windows\SysWOW64\FXW5G1YCGP3L3J.exe

Filesize
441KB

MD5
736bb038282e9c97f2e9cdfd6f9c589f

SHA1
70ee5afdffd42720a40c6d8b421bec80b9b6ee36

SHA256
88d252e5ccc5b3b72de7b5d532a3de66f6160223e84ce0adf84811ffe8e1820f

SHA512
74d01fb7a9635cda13421c19447bdc8152c16eca48f5692064599173df49d8cdee915b0141785db500f553c08a6becb4e1ae20b4bc00fe9d8f62a97b499bc292

Download Submit
C:\Windows\SysWOW64\LKO0T8G.exe

Filesize
441KB

MD5
050bed461b6d081a822b79fe89d0116f

SHA1
f81ced514c6932535180823ca26d1a59a33c1b60

SHA256
116393b8fef9478312caf5a69e48f8c20e1db00a4bd59cd99ec21765f3256932

SHA512
c426f212fd608ee1cb5d1eb122c44bbe0832c6786866f0b8aeee54df0ac5f9cf0da7cab7fc1e2a64c5daf4dcb9b3c00c313acd80a296b47cb44b657aa0271e16

Download Submit
C:\Windows\SysWOW64\LKO0T8G.exe

Filesize
441KB

MD5
15619390db7f3a3ec235cca3089a593d

SHA1
b8116c3f419892c0bad8b7f9542c7c1ca3dd4f39

SHA256
ed81444ed495c60bc946601aa1239e38391807d57696e56206dec4ae4977bdd9

SHA512
a2c976c45d85fb8e842faeb4fee6fe5281d9904ced199924be36c3a0976a52601d294e3c1a8f32b1dc6219cfba4fa625798d7cc357f220218de9833176f20e0e

Download Submit
C:\Windows\SysWOW64\UMO0R1D\FXW5G1Y.cmd

Filesize
441KB

MD5
c4793cd34be42ab42d1910f2c0f2d9c9

SHA1
86ce272d3800699db11daf5739683821edb4d2cd

SHA256
558c435def2c28261d5615a1cb9c9dd22ced08f6ecae0fabaa2e40baf0a03ee4

SHA512
cd923ffcd009ef4157e2d2cb41b81731843b21cb6625e0beb8373f2979c75fbb0f6414aa4bed3a5c10a97a0c9c6a0a3a62d212d3ed707a03e1d1c3d26a3e127e

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
6cf14f7ce53048dde35ad017d6efc3ef

SHA1
d51afe504427645334cb44b428ce93474e56fe11

SHA256
22eb789768d1885250d445ab4a3a0abfbb3cff87256758acb9b42dde6fe4c8bc

SHA512
df58ca1dba9fca53302ed25b3ff2bb28448acff268b5d55319d8b90ba854e7abe0fdbfdd22cd3231648e1eb16903daf430d5163be8b9b460181ecc5db78a3778

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
358904093fb2392dabb2d95d8624a40c

SHA1
a788182c403db1fedd07bb7efa9e2e45dc05585c

SHA256
6e00c7c33c749781fcadb5c91a79d6e929efb01826eb2082be85eef468ffe746

SHA512
b198abacea6a1a4abdffb33480b0146c3243307f2ad6c8dc96b94cf027b1cd405f8411fc989c6ed15389b17032d4e77ac68b4f6e1efd4eb94499382496d01b8f

Download Submit
C:\Windows\TWJ0Q2W.exe

Filesize
441KB

MD5
69656c7ba53aecf5701e50981a17f7b3

SHA1
223bf7586d1e7aea3939ff0b6b0d94907eb41962

SHA256
70ebdd9a0973ce61dfae499bd48b3d21b267954e7c711db79b96ba770dc9d9b2

SHA512
dd56e6fc36136c813165938238e2a7cc93cccc7a822bb071fbe4787335291f481dc5dc7c3d9ff09a64467361f8d5c634c7651bc7f03e04f90492ba381bb7eeb7

Download Submit
C:\Windows\TWJ0Q2W.exe

Filesize
441KB

MD5
1500dceaff6a68ce333f06750f7a9056

SHA1
a838f06ca8357bd8e6a191dcfbfc5eedfcd9125d

SHA256
9f08ed58a04225cf3d89d232b3fae89bb3f54bb250c2a361308a6401d6b516a3

SHA512
016855f15efc456faaeffed75909bf70f79821eecdd35210cfbbd0ba7fdd9bd152882dd5ddb11ef3d442df675bdfb5709a50f41b98d7dea6f960a8671fd79084

Download Submit
C:\Windows\TWJ0Q2W.exe

Filesize
441KB

MD5
cdd2c32bd248b3f3c05b5add2df35b01

SHA1
4efc1892e0e66a1f9091762a3849256a544ac362

SHA256
eb0bce627fcfde97333438ac7f66ca3ea873c65af9a08ce7a47360e525aa5657

SHA512
ba25cb096e85a1ec4c510411ff5b83b0a05ca18f6074d7cd4bff3d521854b79e530ba442f53115ef481a394162924a030564e105712eb3df79daedaac2f72d16

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
380af134fab7517ce0e3620166cb31f6

SHA1
dd22ad39bb3f536f696a31902dd38034889ceadc

SHA256
8b4d4c46319b873872c909072304a6d9ccdb0ca2b390090a02286a66a9500e50

SHA512
e26142ad875954e0dbb00e2190ac436aae260e9cebb18ae53671928dc289309c9a6079f9b2b4763b21edc6d1ffe7f8487466fa6ac33ddb97d734026a4865cc51

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
4eadf90f5c2602fdd0256ce12934ddf8

SHA1
a6d6adc02348359dc00804a3bde3fa6162febe89

SHA256
6deb8acf68392214c98688bf54f5632223416673de3e621aed3407e8505d965b

SHA512
c331226822588eff8623aa1ff8aefb4115a556b1913edec6e69cad0d8caa563a5cc8f2d9eeff77dc854d5f15a45127f0246cef0e706bb43680120bbf0abecb67

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
c5e4b696a7f3aff01b24a159e8cb4c94

SHA1
b2b365da8d8354f6d8311139b8e8a6dfea0eaaaa

SHA256
516385638ae8389c435e0ce140edae54b7b3488ec2584ebaaa10fc7a519d6cb8

SHA512
a8418a12c989dc8c7e4f2d6779e580bdc0c2ad6d9544f8da1576d8b8375ea152e6a5d5000d4175f2a5b519b6489318e9574558182a2f4d77147708faa546a53b

Download Submit
memory/1288-168-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1288-53-0x0000000002910000-0x0000000002962000-memory.dmp

Filesize
328KB

Download
memory/1288-152-0x0000000003EE0000-0x0000000003F32000-memory.dmp

Filesize
328KB

Download
memory/1288-54-0x0000000002910000-0x0000000002962000-memory.dmp

Filesize
328KB

Download
memory/1288-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1288-116-0x0000000002910000-0x0000000002962000-memory.dmp

Filesize
328KB

Download
memory/1288-151-0x0000000003EE0000-0x0000000003F32000-memory.dmp

Filesize
328KB

Download
memory/1624-153-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1624-188-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-126-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-181-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-187-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-190-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-197-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2744-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2744-186-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2824-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2824-185-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads