8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1

General

Target

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
Size

176KB
MD5

42fd0d4290c7f7e662645845df5a6fa0
SHA1

0c378139d3a2ed03dfe87039f6eb608a2fc91783
SHA256

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1
SHA512

6aebff25032b4864d7968c196c6682044f8bd49da2db05c067b64f9522b9166bc92db9f837dc68992625167d6823bb02c6bce294f0b48ff801eb8cfb250237e2
SSDEEP

3072:pjkuJVLEQIURTXJaOuxR8E6GmEWvWVBZbPwP8EYzcnhDSyXAKP:quJes8bR8EJAvWHxo0JkuY

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exedownloadtool.exe

pid process

4012 Logo1_.exe
2600 8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
4228 downloadtool.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
File created	C:\Windows\Logo1_.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	nsis_installer_2

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Logo1_.exe

pid	process
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe
4012	Logo1_.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exeLogo1_.exenet.execmd.exe8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe

description	pid	process	target process
PID 452 wrote to memory of 3572	452	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 452 wrote to memory of 3572	452	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 452 wrote to memory of 3572	452	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 452 wrote to memory of 4012	452	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 452 wrote to memory of 4012	452	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 452 wrote to memory of 4012	452	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 4012 wrote to memory of 2580	4012	Logo1_.exe	net.exe
PID 4012 wrote to memory of 2580	4012	Logo1_.exe	net.exe
PID 4012 wrote to memory of 2580	4012	Logo1_.exe	net.exe
PID 2580 wrote to memory of 5076	2580	net.exe	net1.exe
PID 2580 wrote to memory of 5076	2580	net.exe	net1.exe
PID 2580 wrote to memory of 5076	2580	net.exe	net1.exe
PID 3572 wrote to memory of 2600	3572	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 3572 wrote to memory of 2600	3572	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 3572 wrote to memory of 2600	3572	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 2600 wrote to memory of 4228	2600	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 2600 wrote to memory of 4228	2600	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 2600 wrote to memory of 4228	2600	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 4012 wrote to memory of 2080	4012	Logo1_.exe	Explorer.EXE
PID 4012 wrote to memory of 2080	4012	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
"C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a58E.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
"C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\downloadtool.exe
"C:\Users\Admin\AppData\Local\Temp\downloadtool.exe" -base64="pvVhTdQR/SCBM075+PQinh5Yo22gAT0qGiGozVyd/xV6A7GNHSDUrw37tPYtv1xaV3w3hf0xfkjD4n4LjuGemLQ4YIQIDIC7Yp+C615K+KwIEXJ2/qUbMHgnkQVZav+2LJJNCD6D/5/pAJ0csy7NC3cP3SaHhcssowba2QfSBtn/qmFtEa/DF7oeLwF9WxcuTdQZntCTZNIdPS6JZdAK7b2TwFLxry2EZixJy7QeGXXrej4nZqwiHTvotFjqcem2FKIvIRFhtyTaGQgJ484c0g+LeX3w3ZqGHfsDhrCCNY445PV2Q3DKKCPrFs0ygrxLYWPz1eNTJnGIGsk5Ls+hASDldgSix5mWKmLpNR/AfipvIg=="
5⤵
- Executes dropped EXE
PID:4228

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a58E.bat

Filesize
721B

MD5
3dfb1686b740bc82f3b6d5076a785674

SHA1
f88679d231a3b3cb7f9eee194c0765298df0b417

SHA256
36345a8ed8b41f7c0a9750b015b5ba65b202d0a900fb1bc2b8367f1d197b59fd

SHA512
ad45e8eeab8d70b14089e6e212f72b6a64ce28cad4e30b78213db3e40520a0ae8a261db623aa6e39ad0fed6978e565e254b421bae4ae4c1d10cd3da8b87ab76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe

Filesize
147KB

MD5
5f11c33466fc6f27425304309ee2275e

SHA1
18f77ebfd8e24a085f3179772c1c0b72f8af86d1

SHA256
b6b71fcab1aaf44994b110f5a357c13cd60adafce39abfbbf43e26ec641a687d

SHA512
4580f3c4ef0f0a3e36636eabccc387bfdbece5410815d9cd42f68b66664c79a8c554ddb9b83a945526d381ff8965a3b2411018b44703cd1d1913deeeab0c83e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe.exe

Filesize
147KB

MD5
5f11c33466fc6f27425304309ee2275e

SHA1
18f77ebfd8e24a085f3179772c1c0b72f8af86d1

SHA256
b6b71fcab1aaf44994b110f5a357c13cd60adafce39abfbbf43e26ec641a687d

SHA512
4580f3c4ef0f0a3e36636eabccc387bfdbece5410815d9cd42f68b66664c79a8c554ddb9b83a945526d381ff8965a3b2411018b44703cd1d1913deeeab0c83e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadtool.exe

Filesize
173KB

MD5
0d2dff1c62944e10a4ec6fbad168669c

SHA1
86da2e70b2765c4dafc505c413b85b97ceadd527

SHA256
9efb0d906ebafc6bcff30c593447c00745e4d12491e3d244867b63ddf0e16b5f

SHA512
8a590687ea01ed34bf92115b2f69325cd86fd23fc5919fed2bcdb59d432a739a996cf8e50fe376bc96aec61febd5523b780f9718ec5e8d68810e5aa85c33d37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadtool.exe

Filesize
173KB

MD5
0d2dff1c62944e10a4ec6fbad168669c

SHA1
86da2e70b2765c4dafc505c413b85b97ceadd527

SHA256
9efb0d906ebafc6bcff30c593447c00745e4d12491e3d244867b63ddf0e16b5f

SHA512
8a590687ea01ed34bf92115b2f69325cd86fd23fc5919fed2bcdb59d432a739a996cf8e50fe376bc96aec61febd5523b780f9718ec5e8d68810e5aa85c33d37b

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
a1b322adec9e24c57893d69cda3e902b

SHA1
49a27c87c427d8a12b1147c6456a6261a77b7752

SHA256
904ac84ac8d2eb8433616b3c556f8e903864cd40c3e2421021a3282d517364e2

SHA512
cf08417569f84e2806fdb82fa2d370a84ebe98fc41a741f8927f61425bf7aac5ee4eb31131c7a9bd33c7a38fd7580f8f9f868648c8e73e0e4b4fb76cfa0018b8

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
a1b322adec9e24c57893d69cda3e902b

SHA1
49a27c87c427d8a12b1147c6456a6261a77b7752

SHA256
904ac84ac8d2eb8433616b3c556f8e903864cd40c3e2421021a3282d517364e2

SHA512
cf08417569f84e2806fdb82fa2d370a84ebe98fc41a741f8927f61425bf7aac5ee4eb31131c7a9bd33c7a38fd7580f8f9f868648c8e73e0e4b4fb76cfa0018b8

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
a1b322adec9e24c57893d69cda3e902b

SHA1
49a27c87c427d8a12b1147c6456a6261a77b7752

SHA256
904ac84ac8d2eb8433616b3c556f8e903864cd40c3e2421021a3282d517364e2

SHA512
cf08417569f84e2806fdb82fa2d370a84ebe98fc41a741f8927f61425bf7aac5ee4eb31131c7a9bd33c7a38fd7580f8f9f868648c8e73e0e4b4fb76cfa0018b8

Download Submit
memory/452-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/452-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-139-0x0000000000000000-mapping.dmp

Download
memory/2600-143-0x0000000000000000-mapping.dmp

Download
memory/3572-133-0x0000000000000000-mapping.dmp

Download
memory/4012-134-0x0000000000000000-mapping.dmp

Download
memory/4012-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4012-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4228-145-0x0000000000000000-mapping.dmp

Download
memory/5076-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads