98b6f22370f59fd9482bf2f6c622c2afc92a441917328b2337d4b4780ab7201a

Resubmissions

28-03-2022 02:35

220328-c3bd6acaaj 10

Analysis

max time kernel
300s
max time network
286s
platform
windows10_x64
resource
win10-20220223-en
submitted
28-03-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

heukms/HEU_KMS_Activator_v19.5.1.exe
Size

4.8MB
MD5

7cd8b711be93ff8858b7dc753c4065ca
SHA1

358ead5466fd6f67545cd77d87d541235449558f
SHA256

4159ba56c793d9a4ea76a1f364534e9af97ba28e750104697c10d6d97f6c2cfa
SHA512

99a03912de71e832de24f16f225c38325ad4d5358f31286fe9e27e8face8590aac2ac29abe3d49833154e02ef4612e6dcf6444d7e397baeae3d43d9e6ff6b897

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7Z.EXEkms_x64.exe

pid process

3992 7Z.EXE
508 kms_x64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3992	7Z.EXE
508	kms_x64.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\_temp03280247585362\kms_x64.exe	autoit_exe
C:\Windows\_temp03280247585362\kms_x64.exe	autoit_exe

Drops file in Windows directory 64 IoCs

Processes:

HEU_KMS_Activator_v19.5.1.exe7Z.EXEcmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Windows\_temp03280247585362\7Z.EXE	HEU_KMS_Activator_v19.5.1.exe
File opened for modification	C:\Windows\_temp03280247585362\pic\ver.ico	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x64\SetACL.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\x64\msvcr100.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x64\SECOPatcher.dll	7Z.EXE
File created	C:\Windows\_temp03280247585362\Office2010OSPP\SLERROR.XML	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x86\cleanospp.exe	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x64\cleanospp.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\kms.exe	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\SvcTrigger.xml	7Z.EXE
File created	C:\Windows\_temp03280247585362\x64\cleanospp.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\kms_x64.exe	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x86\SetACL.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\digital.7z	HEU_KMS_Activator_v19.5.1.exe
File opened for modification	C:\Windows\_temp03280247585362\OtherOfficeOSPP	7Z.EXE
File created	C:\Windows\_temp03280247585362\pic\shuoming.jpg	7Z.EXE
File created	C:\Windows\_temp03280247585362\HEU_KMS_Renewal.xml	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x86\SECOPatcher.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\ScriptDir.ini	cmd.exe
File opened for modification	C:\Windows\ScriptTemp.ini	cmd.exe
File created	C:\Windows\_temp03280247585362\cert.7z	HEU_KMS_Activator_v19.5.1.exe
File opened for modification	C:\Windows\_temp03280247585362\x86\SppExtComObjHook.dll	7Z.EXE
File created	C:\Windows\_temp03280247585362\x86\SECOPatcher.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\pic\ewm_wx.jpg	7Z.EXE
File created	C:\Windows\_temp03280247585362\OtherOfficeOSPP\slerror.xml	7Z.EXE
File created	C:\Windows\_temp03280247585362\OtherOfficeOSPP\OSPP.VBS	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x86\msvcr100.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\kms-client.exe	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\kms-server.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\x64\SetACL.exe	7Z.EXE
File created	C:\Windows\splashlogo.gif	HEU_KMS_Activator_v19.5.1.exe
File created	C:\Windows\_temp03280247585362\pic\left.jpg	7Z.EXE
File created	C:\Windows\_temp03280247585362\pic\restore.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\HEU_Configuration.ini	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\Office2010OSPP\OSPP.VBS	7Z.EXE
File created	C:\Windows\_temp03280247585362\SetupComplete.data	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\kms_x64.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\KMSmini.7z	HEU_KMS_Activator_v19.5.1.exe
File created	C:\Windows\HeuKmsRenewal\HEU_KMS_Activator.exe	HEU_KMS_Activator_v19.5.1.exe
File created	C:\Windows\_temp03280247585362\pic\ewm_zfb.jpg	7Z.EXE
File created	C:\Windows\_temp03280247585362\pic\zanzhu.ico	7Z.EXE
File created	C:\Windows\_temp03280247585362\ScriptDir.ini	cmd.exe
File opened for modification	C:\Windows\_temp03280247585362\Office2010OSPP	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\pic\Windows.jpg	7Z.EXE
File created	C:\Windows\_temp03280247585362\Office2010OSPP\OSPP.VBS	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\OtherOfficeOSPP\OSPP.VBS	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\ScriptDir.ini	cmd.exe
File opened for modification	C:\Windows\_temp03280247585362\x86	7Z.EXE
File created	C:\Windows\_temp03280247585362\pic\ver.ico	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\SetupComplete.data	7Z.EXE
File created	C:\Windows\_temp03280247585362\x86\SppExtComObjHook.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\DigitalLicence.7z	HEU_KMS_Activator_v19.5.1.exe
File opened for modification	C:\Windows\_temp03280247585362\GetProductKey.data	7Z.EXE
File created	C:\Windows\_temp03280247585362\kms-server.exe	7Z.EXE
File created	C:\Windows\_temp03280247585362\x64\SECOPatcher.dll	7Z.EXE
File created	C:\Windows\_temp03280247585362\x64\SppExtComObjHook.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\x64\SppExtComObjHook.dll	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\cert.7z	HEU_KMS_Activator_v19.5.1.exe
File created	C:\Windows\_temp03280247585362\pic\ewm_wx.jpg	7Z.EXE
File created	C:\Windows\_temp03280247585362\pic\office.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\pic\restore.bmp	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\pic\head.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\pic\shuoming.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp03280247585362\pic\backup.bmp	7Z.EXE

NTFS ADS 2 IoCs

Processes:

HEU_KMS_Activator_v19.5.1.exekms_x64.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\heukms\winmgmts:\root\cimv2	HEU_KMS_Activator_v19.5.1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\heukms\winmgmts:\root\cimv2	kms_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kms_x64.exe

pid process

508 kms_x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

HEU_KMS_Activator_v19.5.1.exe

pid process

3536 HEU_KMS_Activator_v19.5.1.exe
3536 HEU_KMS_Activator_v19.5.1.exe

pid	process
508	kms_x64.exe

pid	process
3536	HEU_KMS_Activator_v19.5.1.exe
3536	HEU_KMS_Activator_v19.5.1.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

HEU_KMS_Activator_v19.5.1.execmd.execmd.exe

description	pid	process	target process
PID 3536 wrote to memory of 3600	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3600	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3600	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3896	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3896	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3896	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3524	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3524	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3524	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3524 wrote to memory of 3952	3524	cmd.exe	netsh.exe
PID 3524 wrote to memory of 3952	3524	cmd.exe	netsh.exe
PID 3524 wrote to memory of 3952	3524	cmd.exe	netsh.exe
PID 3536 wrote to memory of 3964	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3964	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3964	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3964 wrote to memory of 3692	3964	cmd.exe	netsh.exe
PID 3964 wrote to memory of 3692	3964	cmd.exe	netsh.exe
PID 3964 wrote to memory of 3692	3964	cmd.exe	netsh.exe
PID 3536 wrote to memory of 3992	3536	HEU_KMS_Activator_v19.5.1.exe	7Z.EXE
PID 3536 wrote to memory of 3992	3536	HEU_KMS_Activator_v19.5.1.exe	7Z.EXE
PID 3536 wrote to memory of 3992	3536	HEU_KMS_Activator_v19.5.1.exe	7Z.EXE
PID 3536 wrote to memory of 3984	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3984	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 3984	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 1892	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 1892	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 1892	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 4076	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 4076	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 4076	3536	HEU_KMS_Activator_v19.5.1.exe	cmd.exe
PID 3536 wrote to memory of 508	3536	HEU_KMS_Activator_v19.5.1.exe	kms_x64.exe
PID 3536 wrote to memory of 508	3536	HEU_KMS_Activator_v19.5.1.exe	kms_x64.exe

C:\Users\Admin\AppData\Local\Temp\heukms\HEU_KMS_Activator_v19.5.1.exe
"C:\Users\Admin\AppData\Local\Temp\heukms\HEU_KMS_Activator_v19.5.1.exe"
1⤵
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Temp=_temp03280247585362 >>%windir%\ScriptTemp.ini
2⤵
- Drops file in Windows directory
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\Admin\AppData\Local\Temp\heukms\HEU_KMS_Activator_v19.5.1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\Admin\AppData\Local\Temp\heukms\HEU_KMS_Activator_v19.5.1.exe"
3⤵
PID:3692

C:\Windows\_temp03280247585362\7Z.EXE
C:\Windows\_temp03280247585362\7Z.EXE x C:\Windows\_temp03280247585362\KMSmini.7z -y -oC:\Windows\_temp03280247585362
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo [Direction] >%windir%\_temp03280247585362\ScriptDir.ini
2⤵
- Drops file in Windows directory
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Dir=C:\Users\Admin\AppData\Local\Temp\heukms >>%windir%\_temp03280247585362\ScriptDir.ini
2⤵
- Drops file in Windows directory
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Name=HEU_KMS_Activator_v19.5.1.exe >>%windir%\_temp03280247585362\ScriptDir.ini
2⤵
- Drops file in Windows directory
PID:4076

C:\Windows\_temp03280247585362\kms_x64.exe
C:\Windows\_temp03280247585362\kms_x64.exe
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:508

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ScriptTemp.ini
Filesize
36B

MD5
40c14ae7cef4dacc3148f7afb7561bfd

SHA1
1a96608eb7cfcee85468058918d41e7fbdf95c63

SHA256
657d867701336d2409ec0e17ff790518413ac2b7318e23e5e8f43f3c06653d19

SHA512
79043947f2e020ce246ef61a6e5eb5df856a210259a73fcdd2fce20231d93cc907351f81ad2395a57ade71824f4688da18cca53238243a80c23fbf0e2c3d4b8f

Download Submit
C:\Windows\ScriptTemp.ini
Filesize
36B

MD5
40c14ae7cef4dacc3148f7afb7561bfd

SHA1
1a96608eb7cfcee85468058918d41e7fbdf95c63

SHA256
657d867701336d2409ec0e17ff790518413ac2b7318e23e5e8f43f3c06653d19

SHA512
79043947f2e020ce246ef61a6e5eb5df856a210259a73fcdd2fce20231d93cc907351f81ad2395a57ade71824f4688da18cca53238243a80c23fbf0e2c3d4b8f

Download Submit
C:\Windows\_temp03280247585362\7Z.EXE
Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\_temp03280247585362\7Z.EXE
Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\_temp03280247585362\KMSmini.7z
Filesize
1.7MB

MD5
e95e0a57caf3e24c190cd303aababa7a

SHA1
25c8a267fe760baf9b638d39af73806034b6b3e8

SHA256
ce54bd0ca93b73bbbfc2afbb2c6f7159d83a3a5caeb92146d850765a1b6a9da0

SHA512
033e112700c8c2bb4e4d68852ad959608b7be4fa46fabde41c05ffea69982a8f440684aa93f0a686d65fe5e4394b7d5d3dfd1924d44b2abbf6da0256b9b49e9c

Download Submit
C:\Windows\_temp03280247585362\ScriptDir.ini
Filesize
61B

MD5
9954071455def499b90dda51143dc85e

SHA1
a8afbd586edc17684b2ee60a11a47bf43b5ade9c

SHA256
36a6269d665fb3f1510a5e61a6bbc2b8dd207c63e5b2eedb97e3282e99c860c1

SHA512
fa9da09477576d023cbee8cc16692f6ef80df1621739388ad91268681783d2f1e970938933e9ff29e734110cf378db4c476538481931c414253e7738f91c83be

Download Submit
C:\Windows\_temp03280247585362\ScriptDir.ini
Filesize
98B

MD5
11b8392963c661c8802cb8737dba1b1e

SHA1
ecb45b103b9e2aae65e2710560322c9ddd5bc3b4

SHA256
3279ee3037f9ba4e6cc60569dfd8818f597ee9699028db8595ee1a8db31be8fa

SHA512
aa1217c367f59387f8ec51a1f1ac691fa3538c03d56a025d3be5fe3eff116957fc313b3ed40ea57cf69ddca7128a32e8ffd663df07dfa0a879665aaa42dc78f1

Download Submit
C:\Windows\_temp03280247585362\kms_x64.exe
Filesize
1.0MB

MD5
99df73a907996e98e96917fae743b506

SHA1
a2399225048b685c15e34a1880bdb619d352d0dc

SHA256
dea555536f4ae87a381111e07f9058e4111170ae273863774a52ada531114a65

SHA512
cbe1f85eec790e0979ea115eac5716df1f9a86b078b72a8c2637ba49dbb95787937f177e976ed877316915327346b409e71f91d970df82d5e8d3d26f53b8eb4b

Download Submit
C:\Windows\_temp03280247585362\kms_x64.exe
Filesize
1.0MB

MD5
99df73a907996e98e96917fae743b506

SHA1
a2399225048b685c15e34a1880bdb619d352d0dc

SHA256
dea555536f4ae87a381111e07f9058e4111170ae273863774a52ada531114a65

SHA512
cbe1f85eec790e0979ea115eac5716df1f9a86b078b72a8c2637ba49dbb95787937f177e976ed877316915327346b409e71f91d970df82d5e8d3d26f53b8eb4b

Download Submit
C:\Windows\_temp03280247585362\pic\ewm_wx.jpg
Filesize
32KB

MD5
362e94b6ad5ac32ced1e9c84b7409506

SHA1
094584059b3e3462da4298b651a92d1fd0691325

SHA256
1f81e6d61080adbbacb425c21bc9fc8eb33269da462cbf00fbf6be3bdb14c308

SHA512
672a21ffbdc578e820e307acef68bd1cb0a252adc3e2dd6f097fb6320bb313f89711e71c232589b78bb856323e062424a73edfd5720a68e4d7b67c044cc7fdab

Download Submit
C:\Windows\_temp03280247585362\pic\ewm_zfb.jpg
Filesize
33KB

MD5
d3a12977fffc2002685151f0af5143ea

SHA1
ac3c887bee44748fa9192aaa32606ea768b9e459

SHA256
f046f91eac3dbe86d9e2dcc11281ca855a96f15a8f8ed62f0216f3076826fa35

SHA512
4247aee80b6f55466d4ba2fc6b3d9ba76575cbdbc74b96cb810768d396c1e7469cbcc2d81cd4f7c79a39bf1a69ad3fd14a97e97156d6ff2ef43e4c56be5885d0

Download Submit
C:\Windows\_temp03280247585362\pic\head.jpg
Filesize
28KB

MD5
069d803d68fa5bb3bade568a8f6bc1ce

SHA1
dbb7b41831d705b762a2b87a6f8e7cb4ee6fc9e5

SHA256
9c047b20f9baa9fdeadd70d93cce5fc5f31d1c4f446cb2d9acc523209e6c75e3

SHA512
abeb1e94bc63fdc5496b354b8788cdb249e92b0fe0829f8a0052f5b8d4f09309b62dbc85f2fe1370c527f97f9e45ac0aabde44bedf9175792db90131432be885

Download Submit
C:\Windows\_temp03280247585362\pic\left.jpg
Filesize
17KB

MD5
ea96d8162a586640d7ac631f52b83372

SHA1
36984ec6b439cd61210b80ba29c46348310aecdd

SHA256
5e74ac75bf1609aa8e05316d19121e24b095b6796dd330d6fa7a6c084db2c03b

SHA512
f561b801aec17d899c260dcb06d46b8664f82e9be6cb6791c567ffd76c175a1eb2668a9f4806b403db8c9eca343c906562771b88a45d67fc2b197bb5f0cc2ceb

Download Submit
C:\Windows\_temp03280247585362\pic\ver.ico
Filesize
22KB

MD5
3b456048c963f39b7b918c34742dff8d

SHA1
8dd5bd2f1dc5f896d3cb14cdec7691c42a60ec9a

SHA256
d352bbe8c271cc9007a841a5b7db960262fc85cae580f9814eb0b5c7e7e0b7e8

SHA512
abc38e1de5d9c982975965b784b692f6e8220bcb6e19cf0e66105a3207477f7cc03710e4563aa86666cfc4c411b0ea110c9e9efe827d26ea76a5e82010629a96

Download Submit
C:\Windows\_temp03280247585362\pic\zanzhu.ico
Filesize
24KB

MD5
94306384efdadfdcea096a022738bf1e

SHA1
72385c23173686ac2500ba3bca094c0c94e76212

SHA256
9672b50641ba9f9f1735fee2d3ba4fdc5bda18545530ee1869e01c25618c1345

SHA512
38f7de2ab148daea9f879665459fe374b1032b10eb1be6769fa17ffc8fc9b12a4bf8b9822a3bca2c8704aec7a996d5fe058e2a759a21f351162a8fcca729bbdf

Download Submit
memory/508-131-0x0000000000000000-mapping.dmp

Download
memory/1892-127-0x0000000000000000-mapping.dmp

Download
memory/3524-118-0x0000000000000000-mapping.dmp

Download
memory/3600-114-0x0000000000000000-mapping.dmp

Download
memory/3692-121-0x0000000000000000-mapping.dmp

Download
memory/3896-115-0x0000000000000000-mapping.dmp

Download
memory/3952-119-0x0000000000000000-mapping.dmp

Download
memory/3964-120-0x0000000000000000-mapping.dmp

Download
memory/3984-126-0x0000000000000000-mapping.dmp

Download
memory/3992-122-0x0000000000000000-mapping.dmp

Download
memory/4076-129-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads