974c3a24a0957fe01a7529af455d7aa67554e11cf0312433666529cd1727c747

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 09:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6be5fba9ee1e92845b21eba0adf2d40N.exe
Size

441KB
MD5

b6be5fba9ee1e92845b21eba0adf2d40
SHA1

61ad80eb5e3f15fede5823da28f913e63237501b
SHA256

974c3a24a0957fe01a7529af455d7aa67554e11cf0312433666529cd1727c747
SHA512

1c67d15c60d328e717e398857fbadd2c0b72da835b76f7db08cdc44c9813e4c716a1e58f64f2679691c11da7e1371b007b9e9cf4b73f5a423ee93a4006352874
SSDEEP

6144:PeHwXUljWrLJKuKnGML5NjcxFSsQLH5AQ:PyMU0g5NjaFSsPQ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\INT2V5J\\RJP4C2J.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\INT2V5J\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	b6be5fba9ee1e92845b21eba0adf2d40N.exe

Executes dropped EXE 5 IoCs

pid	Process
1460	service.exe
4700	smss.exe
4824	system.exe
3392	winlogon.exe
4520	lsass.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sNT5H7N0 = "C:\\Windows\\system32\\TOM1T6PPUG0C0X.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0C2JUG = "C:\\Windows\\KMW5H7N.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\Z:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\systear.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\CYF5K4U.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\CYF5K4U.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\CYF5K4U.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\CYF5K4U.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\CYF5K4U.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\CYF5K4U.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R	service.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R	smss.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd	service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\system.exe	winlogon.exe
File opened for modification	C:\Windows\PUG0C0X.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\INT2V5J\winlogon.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\lsass.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\INT2V5J\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\HKH5L3E.com	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\smss.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\INT2V5J\HKH5L3E.com	system.exe
File opened for modification	C:\Windows\INT2V5J\smss.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\INT2V5J\winlogon.exe	service.exe
File opened for modification	C:\Windows\INT2V5J\regedit.cmd	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\KMW5H7N.exe	system.exe
File opened for modification	C:\Windows\PUG0C0X.exe	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\RJP4C2J.exe	service.exe
File opened for modification	C:\Windows\INT2V5J\system.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\smss.exe	service.exe
File opened for modification	C:\Windows\INT2V5J\HKH5L3E.com	service.exe
File opened for modification	C:\Windows\cypreg.dll	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\INT2V5J\smss.exe	system.exe
File opened for modification	C:\Windows\KMW5H7N.exe	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\service.exe	service.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\INT2V5J\winlogon.exe	system.exe
File opened for modification	C:\Windows\KMW5H7N.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\INT2V5J\RJP4C2J.exe	lsass.exe
File opened for modification	C:\Windows\INT2V5J\HKH5L3E.com	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\KMW5H7N.exe	lsass.exe
File opened for modification	C:\Windows\INT2V5J\HKH5L3E.com	lsass.exe
File opened for modification	C:\Windows\INT2V5J	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\smss.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\service.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\service.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\INT2V5J\system.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\INT2V5J\winlogon.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\smss.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\INT2V5J\system.exe	system.exe
File opened for modification	C:\Windows\INT2V5J\regedit.cmd	system.exe
File opened for modification	C:\Windows\INT2V5J\service.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\INT2V5J	smss.exe
File opened for modification	C:\Windows\INT2V5J\service.exe	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\HKH5L3E.com	smss.exe
File opened for modification	C:\Windows\PUG0C0X.exe	system.exe
File opened for modification	C:\Windows\INT2V5J\RJP4C2J.exe	winlogon.exe
File opened for modification	C:\Windows\INT2V5J\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\INT2V5J	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\KMW5H7N.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\INT2V5J\RJP4C2J.exe	b6be5fba9ee1e92845b21eba0adf2d40N.exe
File opened for modification	C:\Windows\PUG0C0X.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\RJP4C2J.exe	smss.exe
File opened for modification	C:\Windows\INT2V5J\RJP4C2J.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\INT2V5J\system.exe	lsass.exe
File opened for modification	C:\Windows\PUG0C0X.exe	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6be5fba9ee1e92845b21eba0adf2d40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b6be5fba9ee1e92845b21eba0adf2d40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe
1460	service.exe
4700	smss.exe
4824	system.exe
3392	winlogon.exe
4520	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1460	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	87
PID 1400 wrote to memory of 1460	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	87
PID 1400 wrote to memory of 1460	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	87
PID 1400 wrote to memory of 4700	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	88
PID 1400 wrote to memory of 4700	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	88
PID 1400 wrote to memory of 4700	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	88
PID 1400 wrote to memory of 4824	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	89
PID 1400 wrote to memory of 4824	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	89
PID 1400 wrote to memory of 4824	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	89
PID 1400 wrote to memory of 3392	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	90
PID 1400 wrote to memory of 3392	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	90
PID 1400 wrote to memory of 3392	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	90
PID 1400 wrote to memory of 4520	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	91
PID 1400 wrote to memory of 4520	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	91
PID 1400 wrote to memory of 4520	1400	b6be5fba9ee1e92845b21eba0adf2d40N.exe	91

C:\Users\Admin\AppData\Local\Temp\b6be5fba9ee1e92845b21eba0adf2d40N.exe
"C:\Users\Admin\AppData\Local\Temp\b6be5fba9ee1e92845b21eba0adf2d40N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\INT2V5J\service.exe
  "C:\Windows\INT2V5J\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Windows\INT2V5J\smss.exe
  "C:\Windows\INT2V5J\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4700
- C:\Windows\INT2V5J\system.exe
  "C:\Windows\INT2V5J\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4824
- C:\Windows\INT2V5J\winlogon.exe
  "C:\Windows\INT2V5J\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3392
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\My Notebook.exe

Filesize
441KB

MD5
f14eb9f498da65be3d2816d916ecb03f

SHA1
f62e32fa12bc3cadb88997d8fef3365da00907ab

SHA256
38ce7efc428b5b00d3cf1bd927abe65fd96ca56b7b629a77f2ddd2d9c903f418

SHA512
61fd1f3ba4951e577de2ceecf85935303a546673537202934f4c4cd52bf109bf9fcbd5bd151770b63240a1ec3a2de940637fa83cea218e9490a9c0720a0c36af

Download Submit
C:\Windows\INT2V5J\HKH5L3E.com

Filesize
441KB

MD5
f6da0c207f72b6eed24ab13b85d75ffd

SHA1
a0341db4a6724b7f1a27e7d7529f9bf08ab696fc

SHA256
e9742beeac1199189e0f0b4bec3bac90e32bf3c79b5d9de06187d643d4556824

SHA512
8ec740284e3338c3f2605e93adbd3c5d5f7294c0fd1636a39733260585827ea2332525378a9a3898be6eddcc7b2c65be4f72832738f584a4cdffc33a75e71fa0

Download Submit
C:\Windows\INT2V5J\RJP4C2J.exe

Filesize
441KB

MD5
c4793cd34be42ab42d1910f2c0f2d9c9

SHA1
86ce272d3800699db11daf5739683821edb4d2cd

SHA256
558c435def2c28261d5615a1cb9c9dd22ced08f6ecae0fabaa2e40baf0a03ee4

SHA512
cd923ffcd009ef4157e2d2cb41b81731843b21cb6625e0beb8373f2979c75fbb0f6414aa4bed3a5c10a97a0c9c6a0a3a62d212d3ed707a03e1d1c3d26a3e127e

Download Submit
C:\Windows\INT2V5J\RJP4C2J.exe

Filesize
441KB

MD5
cdd2c32bd248b3f3c05b5add2df35b01

SHA1
4efc1892e0e66a1f9091762a3849256a544ac362

SHA256
eb0bce627fcfde97333438ac7f66ca3ea873c65af9a08ce7a47360e525aa5657

SHA512
ba25cb096e85a1ec4c510411ff5b83b0a05ca18f6074d7cd4bff3d521854b79e530ba442f53115ef481a394162924a030564e105712eb3df79daedaac2f72d16

Download Submit
C:\Windows\INT2V5J\regedit.cmd

Filesize
441KB

MD5
4eadf90f5c2602fdd0256ce12934ddf8

SHA1
a6d6adc02348359dc00804a3bde3fa6162febe89

SHA256
6deb8acf68392214c98688bf54f5632223416673de3e621aed3407e8505d965b

SHA512
c331226822588eff8623aa1ff8aefb4115a556b1913edec6e69cad0d8caa563a5cc8f2d9eeff77dc854d5f15a45127f0246cef0e706bb43680120bbf0abecb67

Download Submit
C:\Windows\INT2V5J\regedit.cmd

Filesize
441KB

MD5
d6ee83c391cba02a6101ccc61a75d6d6

SHA1
d9a37388f8edffc570de6eb2aec7fdb5784cc02a

SHA256
0be849b0846c0a4b10f248a562da7c15813415aa4fa48c2829efa22f34bcc450

SHA512
8cecce7c7a052dc8a06dc28814a12b4dca1275bc0119c44b3b9d8cf73ff4d23fa084ad98dd21f25febdb188b90ca19ae78eea51c165b953b81f0f9451923d5e8

Download Submit
C:\Windows\INT2V5J\service.exe

Filesize
441KB

MD5
c2b259caedb563365d6a4b7a799438e0

SHA1
781b13fa499c43e53a66a1e9e83b6aac484dc17a

SHA256
523d6be4bc23ade8745d062a8b5ab99893e99d1f0b555dc855d90dc4f49a3ea1

SHA512
60cb12baf34c690103fb4d60c8a734d636d78e855b559f6829b2e819abdee5187b143ba8dc6d1d51dbc33715fea68ff26b8db771318b8cca6e70beb716d9bca7

Download Submit
C:\Windows\INT2V5J\smss.exe

Filesize
441KB

MD5
5ed8186b22c93d10044c836a7bc59f41

SHA1
c40c11e884104a8f53db7413ac4f8f290091258c

SHA256
6ac8933b7c770a4665422303eb15080cc00eae8667fd9e06614312dfea14b826

SHA512
28f10a2db96389207c93b1d1424451dbcac2bf50e9cbef8bc87e3fd57c87a3a871aea6d717549a7e3861d0384ccff1f57618defb6eb66c988e7cd81e71c4e2d5

Download Submit
C:\Windows\INT2V5J\system.exe

Filesize
441KB

MD5
b6be5fba9ee1e92845b21eba0adf2d40

SHA1
61ad80eb5e3f15fede5823da28f913e63237501b

SHA256
974c3a24a0957fe01a7529af455d7aa67554e11cf0312433666529cd1727c747

SHA512
1c67d15c60d328e717e398857fbadd2c0b72da835b76f7db08cdc44c9813e4c716a1e58f64f2679691c11da7e1371b007b9e9cf4b73f5a423ee93a4006352874

Download Submit
C:\Windows\INT2V5J\winlogon.exe

Filesize
441KB

MD5
f2b3d1c1f347cd23cf2a47db714b3750

SHA1
01a1c1479c7ebb1b6d018e6de90214e7a66763f5

SHA256
f2a77a0ab3da752ac4b3b64e0e731f63541a086537014bba945c98fa6f5a334b

SHA512
da821214f5794b7eeeeb7e3c8cc42537e59ebb203dcf06bc57e8f6f943add0c354e86e7e4a202626b5fd1977d7af384a2053e81f5ebfcdeb3613e575571902df

Download Submit
C:\Windows\PUG0C0X.exe

Filesize
441KB

MD5
736bb038282e9c97f2e9cdfd6f9c589f

SHA1
70ee5afdffd42720a40c6d8b421bec80b9b6ee36

SHA256
88d252e5ccc5b3b72de7b5d532a3de66f6160223e84ce0adf84811ffe8e1820f

SHA512
74d01fb7a9635cda13421c19447bdc8152c16eca48f5692064599173df49d8cdee915b0141785db500f553c08a6becb4e1ae20b4bc00fe9d8f62a97b499bc292

Download Submit
C:\Windows\SysWOW64\CYF5K4U.exe

Filesize
441KB

MD5
15619390db7f3a3ec235cca3089a593d

SHA1
b8116c3f419892c0bad8b7f9542c7c1ca3dd4f39

SHA256
ed81444ed495c60bc946601aa1239e38391807d57696e56206dec4ae4977bdd9

SHA512
a2c976c45d85fb8e842faeb4fee6fe5281d9904ced199924be36c3a0976a52601d294e3c1a8f32b1dc6219cfba4fa625798d7cc357f220218de9833176f20e0e

Download Submit
C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd

Filesize
441KB

MD5
c3d57a5c34e372202b972f5fcdff04fd

SHA1
a1dc5d4e99bd3535b8fb9268b0fb388d75775fc7

SHA256
feebae542f3cc9201be00aff7a0a9468848b9c8007ef351193aeeca9f7f12f7d

SHA512
3c44b6044cce05bc66bbc9879730df12a49f71d5c72b2ff494f8dccecc6d03ca58b7079ef69203c3eac2933f138082c244bd272223fda6b88af01a2340139a76

Download Submit
C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe

Filesize
441KB

MD5
42b29ebbbf0f17320955733b349be911

SHA1
6a7d94a5f6b97d93bcdf3f2d2292e1561656c9ff

SHA256
260bb609f8fe749a0e84519cfc238fabeea8832750c327f22eb27f6cd3370587

SHA512
adee28bf82a071ef3b96bd55dd16e7c6cde5725ff4b2f7872014a8e03510dc93637b45d0e2e9f1fa47518140e2f468782ae3989a7e148e6ee157d5c6aeae874c

Download Submit
C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe

Filesize
441KB

MD5
050bed461b6d081a822b79fe89d0116f

SHA1
f81ced514c6932535180823ca26d1a59a33c1b60

SHA256
116393b8fef9478312caf5a69e48f8c20e1db00a4bd59cd99ec21765f3256932

SHA512
c426f212fd608ee1cb5d1eb122c44bbe0832c6786866f0b8aeee54df0ac5f9cf0da7cab7fc1e2a64c5daf4dcb9b3c00c313acd80a296b47cb44b657aa0271e16

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
ac7ceafe440e99b18281857ff6bf3888

SHA1
bd60b7fd12b929d7efebd0dafa2cb6d4be68b71a

SHA256
fa376c8784c86f700056c8f882120dbcaf78317543c93a51fcd93b34d70c0b87

SHA512
dfed520bac760cb964fbac44861e1459b8f9d2123b93204c8496f1db51af3aa2aebbf0304c60a183d263d2873d6fb29e4a345fea460eb56c2baf1cc56af67776

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
3901a79afc3ed429cd22c85474ed7ef7

SHA1
e93632ee1d9aad007dd3eac5a7298e81aa8c42f3

SHA256
b79cf2c7b87a0210f25c39c3ae1ea72df7b46a11575fdde8fea5f626790d581a

SHA512
797dd0e992262de121e3361a046ccc29b3b25cc75a2d4f97b0c633ae8ff7227d571d7504d9bb64d6791f97f1f89062c43d7b0e34f9271c95b8592b5e68247af2

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
3b2d06f4c718b88b450ce1ccd437e73f

SHA1
e0b49b16b45bae734cb30316a3237d245f22bdce

SHA256
6a4bf06e7d1c2ec235003c0a21c41fbd4505b0f60b419af144ee6a1c9a9a7610

SHA512
641968623fc81751675ee4ca67dad5964ae77e9d0fbf5f09e82a6dde9a63f88671d7f8637b2d047a4b56402ede648aeafa51420d99056fdaf6f3a566fc5a67bb

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
b8ebc4cf5cfc35dbd116076639c6ea4a

SHA1
8ccb2941483c70095ecc1f77b5d34465c1b3fc07

SHA256
2e5fcf58ca00004e2ab8793fb8ab64121119d4f737f6eb5baa7f52f8d3059d10

SHA512
6ba8d358e216965ee4b1c16afa21c8a773d8c903a6d37ae15ded25f0f13bf3424480a6e50c7d90c755c545b2c45ed1c0086993b427c2c37b492e775faec4f8ea

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
6bd31a4b71a8cc7716bc8ad38db40851

SHA1
2f5f383b11d2f6d3bae8bf912b479490de59950e

SHA256
e885b55026c2087103fdb209109b91d4eb0b153d1faf805758bedffffe7d2dc2

SHA512
1403fa18b0921b44d648b142f06d4cc7e9529899b7cc258dbf2e29f46d674b98bbe524a1c676921b50860db108f71704231b059c6e1921386781b4206cf43918

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
394b81d94c71f287c35a61e99d260b6d

SHA1
015e12a2530ce7de2c9da2470bcac30d4f7db56a

SHA256
c23752d7359c3b4160582ff1c509a99722e13b3788ee65dcac16b3c98b9ea0f4

SHA512
88f188aa5878a67a324a322537b05760bc4c9465c07abe3dad6ba7edf3c74178a65cfefeca7c70f477a54d22c5b82ae6fa249dea03f64c279ad4e194c7990edd

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
faccb368f1c32d9466d95f537be6983d

SHA1
4d34d1bf813a86bf952a6aab00cd79853bf6f109

SHA256
c91e9718a7ddf97a0a3006751af147415b1cc97e037d908d9d883b3942187a1a

SHA512
8f4a76f4ca840f833774b1cd7dfd7b96e992d7ac33c9f5750656ffaa9f74b6c3cfe876d09d2c2bb7fb4c04b47e9dde8d3fff9fdb3aea8e948d52d3f7a2b00b37

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
d31617474ea8cb619c37c0e5d1eca2c0

SHA1
8fe43a3362d5967982bd7887119231ad2d0460e3

SHA256
3d94af26a2348814cd2923d338d5c08bcf0d13152f66f4cf8480b7bc56655fec

SHA512
54028f19d0332cadd5ae5ce6220b76380bccfc1d6eff1116cabd4e9c72e0279fddc331b13b3e4cb1bc7e5a349cd9666b0c02de82206fbccd439ca42d991a443d

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
c6e72c1e418663017ccfea1bedf7eee7

SHA1
797a84957ebd22647d8e7ac62a81061496ea2ef2

SHA256
d6f15036a1fd7489d7c2a04dcb2be2f44dd9a0e752e5206698f7b462970f2e9a

SHA512
3f693de5fa31421e9a5c4ecf9182ac654a388a4934bc58b9e5e509419ea0e371d458ed8fe838f742003b3a250347e92ef9c23eac32f2cdca46fe494ff771191c

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
69adeac97dcfa2b99cd8cc3522021dfa

SHA1
4de0f0861805342f2c68d7b262c07f85446acc42

SHA256
181bf2a0eefd2f8af7d0b22dbb759d18648744b010bbcd470136d485b61bd152

SHA512
159c35ddce1ee182b0122d5822a04164c3f8116a862bd7874266c7d4d70fa889d7b2b6680a9b1dc3507e1ebe7778806b89f51ecb184e39c641f8cb84dd3c711f

Download Submit
memory/1400-209-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1400-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1460-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1460-266-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3392-76-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3392-269-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4520-235-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4520-270-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4700-63-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4700-267-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4824-75-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4824-268-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads