7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689

General

Target

7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
Size

85KB
MD5

36f04d289ac6cedb95b96542746a0f80
SHA1

9398a6a7677b3bc3f382a702d17eb32402655b1f
SHA256

7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689
SHA512

bcd74cc940adf2dcbc51a319e916cc5795fb61a2c49257faf259e8a889e7fa6dfe6d6ad060d094f73f74604a7ca6eea39ca6a8aeb0af649608a3196b7c36ea9f
SSDEEP

768:I1O5RroZJ767395uINnEfDKBbUCp1OTZ+/VOKZWaIpMh66nIBL+nqXfaIRRlxfGe:I1e+Zk77RNzLiTO7ZCwIvRHxfG3ObF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe

pid process

5064 Logo1_.exe
3932 7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe

pid	process
5064	Logo1_.exe
3932	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\fre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
File created	C:\Windows\Logo1_.exe	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exeLogo1_.exe

pid	process
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe
5064	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1776 wrote to memory of 4736	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	net.exe
PID 1776 wrote to memory of 4736	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	net.exe
PID 1776 wrote to memory of 4736	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	net.exe
PID 4736 wrote to memory of 3412	4736	net.exe	net1.exe
PID 4736 wrote to memory of 3412	4736	net.exe	net1.exe
PID 4736 wrote to memory of 3412	4736	net.exe	net1.exe
PID 1776 wrote to memory of 3132	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	cmd.exe
PID 1776 wrote to memory of 3132	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	cmd.exe
PID 1776 wrote to memory of 3132	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	cmd.exe
PID 1776 wrote to memory of 5064	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	Logo1_.exe
PID 1776 wrote to memory of 5064	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	Logo1_.exe
PID 1776 wrote to memory of 5064	1776	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe	Logo1_.exe
PID 5064 wrote to memory of 912	5064	Logo1_.exe	net.exe
PID 5064 wrote to memory of 912	5064	Logo1_.exe	net.exe
PID 5064 wrote to memory of 912	5064	Logo1_.exe	net.exe
PID 912 wrote to memory of 4504	912	net.exe	net1.exe
PID 912 wrote to memory of 4504	912	net.exe	net1.exe
PID 912 wrote to memory of 4504	912	net.exe	net1.exe
PID 3132 wrote to memory of 3932	3132	cmd.exe	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
PID 3132 wrote to memory of 3932	3132	cmd.exe	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
PID 3132 wrote to memory of 3932	3132	cmd.exe	7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
PID 5064 wrote to memory of 3936	5064	Logo1_.exe	net.exe
PID 5064 wrote to memory of 3936	5064	Logo1_.exe	net.exe
PID 5064 wrote to memory of 3936	5064	Logo1_.exe	net.exe
PID 3936 wrote to memory of 5012	3936	net.exe	net1.exe
PID 3936 wrote to memory of 5012	3936	net.exe	net1.exe
PID 3936 wrote to memory of 5012	3936	net.exe	net1.exe
PID 5064 wrote to memory of 1108	5064	Logo1_.exe	Explorer.EXE
PID 5064 wrote to memory of 1108	5064	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
"C:\Users\Admin\AppData\Local\Temp\7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE109.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe
"C:\Users\Admin\AppData\Local\Temp\7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe"
4⤵
- Executes dropped EXE
PID:3932

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4504

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aE109.bat

Filesize
722B

MD5
7db3cf2ba4ad87d625d4aa8bc2660ad6

SHA1
f9d41faae6ce61eec22e988a12b64b457afc6717

SHA256
fa914119fc6105614166c3558da755c3c732f7998a1680ca207bd008ec0f7a2e

SHA512
42c3c82bc718a0a4729c27510b419ebdc020648df3ef6a18bd753bce89afbb8c601f5bb75747d7f19b73c0bbae94949709a5cdef0ee738fa66cdc7bc98c3a607

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe

Filesize
52KB

MD5
c0b96bc33df7c66febc628008fbc76fa

SHA1
2ddfe1f3e0decceff7f799e8348d50e2d8fe7bc1

SHA256
850bd923c0988ec061d1181bd258eaa4b1310ae5f18c64732fdaf95995670127

SHA512
21ae5436f21e2b23aea025ca0d2e46ba97f9eba621760d192f9525865afa2006d2467b4a7ee95d518cad3f58c573b4a7c5ae6bebcfa3da9377c750dbf1e3f658

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f816b8fef1ef863eecbbc50359a5c7eb44b8b45827004286f5267b60ae4c689.exe.exe

Filesize
52KB

MD5
c0b96bc33df7c66febc628008fbc76fa

SHA1
2ddfe1f3e0decceff7f799e8348d50e2d8fe7bc1

SHA256
850bd923c0988ec061d1181bd258eaa4b1310ae5f18c64732fdaf95995670127

SHA512
21ae5436f21e2b23aea025ca0d2e46ba97f9eba621760d192f9525865afa2006d2467b4a7ee95d518cad3f58c573b4a7c5ae6bebcfa3da9377c750dbf1e3f658

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
2592ca339264cf53ce995a6004b4d9de

SHA1
8553cada82d8fa4b419a6ea790a9ab5caaa702c9

SHA256
8bb5b07ebf476a25f5516bbdfdd2880e8d1cca497d29d209e7c10c8f22517677

SHA512
8ca3754f118eddf106f20e0da91875f8db0d7056c61c134867301a3f87d10e58e8cb1241096293da794aac2080f269708390e3deba6317788acc6a4170c95ff7

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
2592ca339264cf53ce995a6004b4d9de

SHA1
8553cada82d8fa4b419a6ea790a9ab5caaa702c9

SHA256
8bb5b07ebf476a25f5516bbdfdd2880e8d1cca497d29d209e7c10c8f22517677

SHA512
8ca3754f118eddf106f20e0da91875f8db0d7056c61c134867301a3f87d10e58e8cb1241096293da794aac2080f269708390e3deba6317788acc6a4170c95ff7

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
2592ca339264cf53ce995a6004b4d9de

SHA1
8553cada82d8fa4b419a6ea790a9ab5caaa702c9

SHA256
8bb5b07ebf476a25f5516bbdfdd2880e8d1cca497d29d209e7c10c8f22517677

SHA512
8ca3754f118eddf106f20e0da91875f8db0d7056c61c134867301a3f87d10e58e8cb1241096293da794aac2080f269708390e3deba6317788acc6a4170c95ff7

Download Submit
memory/912-141-0x0000000000000000-mapping.dmp

Download
memory/1776-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3132-136-0x0000000000000000-mapping.dmp

Download
memory/3412-135-0x0000000000000000-mapping.dmp

Download
memory/3932-145-0x0000000000000000-mapping.dmp

Download
memory/3936-149-0x0000000000000000-mapping.dmp

Download
memory/4504-144-0x0000000000000000-mapping.dmp

Download
memory/4736-134-0x0000000000000000-mapping.dmp

Download
memory/5012-150-0x0000000000000000-mapping.dmp

Download
memory/5064-137-0x0000000000000000-mapping.dmp

Download
memory/5064-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads