dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10

Analysis

max time kernel
157s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
Size

474KB
MD5

750b491e4c1e0847f0972a17ca6327b0
SHA1

6ce277d10a5c4dd0105e368b3a527795d0714bde
SHA256

dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10
SHA512

42292c69374edc510e50d87066f33d0a541f8d4b38276bebeb5c512200d533631ff6f211c2fb422f7e75c8f58b1e36ba38ed51792847d61a4043428b03de691e
SSDEEP

6144:9Xq1Vm9LznGk73X6Li+lD1zykSsfHC4SYamijb7hTJ4eEAT3QLtJpA:9LznGk73KL/fcmijvzLzh

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	Logo1_.exe
4696	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Logo1_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX65FD.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX4CCF.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RCXB85.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX5108.tmp	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\RCXCB9C.tmp	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXB058.tmp	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\uninstall\rundl132.exe	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
File created	C:\Windows\Logo1_.exe	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe
1708	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4696	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1360	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	80
PID 4932 wrote to memory of 1360	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	80
PID 4932 wrote to memory of 1360	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	80
PID 1360 wrote to memory of 3768	1360	net.exe	82
PID 1360 wrote to memory of 3768	1360	net.exe	82
PID 1360 wrote to memory of 3768	1360	net.exe	82
PID 4932 wrote to memory of 2160	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	83
PID 4932 wrote to memory of 2160	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	83
PID 4932 wrote to memory of 2160	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	83
PID 4932 wrote to memory of 1708	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	85
PID 4932 wrote to memory of 1708	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	85
PID 4932 wrote to memory of 1708	4932	dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe	85
PID 1708 wrote to memory of 1872	1708	Logo1_.exe	86
PID 1708 wrote to memory of 1872	1708	Logo1_.exe	86
PID 1708 wrote to memory of 1872	1708	Logo1_.exe	86
PID 1872 wrote to memory of 4556	1872	net.exe	88
PID 1872 wrote to memory of 4556	1872	net.exe	88
PID 1872 wrote to memory of 4556	1872	net.exe	88
PID 2160 wrote to memory of 4696	2160	cmd.exe	89
PID 2160 wrote to memory of 4696	2160	cmd.exe	89
PID 2160 wrote to memory of 4696	2160	cmd.exe	89
PID 1708 wrote to memory of 4008	1708	Logo1_.exe	90
PID 1708 wrote to memory of 4008	1708	Logo1_.exe	90
PID 1708 wrote to memory of 4008	1708	Logo1_.exe	90
PID 4008 wrote to memory of 3552	4008	net.exe	92
PID 4008 wrote to memory of 3552	4008	net.exe	92
PID 4008 wrote to memory of 3552	4008	net.exe	92
PID 1708 wrote to memory of 3032	1708	Logo1_.exe	45
PID 1708 wrote to memory of 3032	1708	Logo1_.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
  "C:\Users\Admin\AppData\Local\Temp\dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a17AE.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe
      "C:\Users\Admin\AppData\Local\Temp\dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4696
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a17AE.bat

Filesize
722B

MD5
104623350b225a905802d7fe9d5dea3a

SHA1
c9a5095ed99b2582140b52d8b638a476a70fb8da

SHA256
86930209259de1fecb60760e37b3caa70a2f3f5d9d4c5347ac742db3fe49b441

SHA512
043a1bd31324fceef24fb3a4e33bae2b3188ad9c2ebf853bf95e59203809f9a4b9fd58959bf2e4ba435e42abbc53f4ffc52c3c28376c40d2b91335c091887397

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe

Filesize
381KB

MD5
a2c4f995230dd11213bc465353e4c7a9

SHA1
40e94933bbdb861285114275ac9d9ec5d0c1420d

SHA256
2d9a88ad937dd1a83a05a7fe31931baadda47ac31288132c43de17646e875cf2

SHA512
26c0ea3c53fbddcc0625ec52607b1582ae275865db3346972932cb29f8b3a166ea3cb94a28d627881ac4153f4f7c898ebc353e37fe6574237491119b5f371a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc324be62cdc4bf6caac1dcc37a75c87dcd2f8e96727611fa2acaebc9fb36c10.exe.exe

Filesize
381KB

MD5
a2c4f995230dd11213bc465353e4c7a9

SHA1
40e94933bbdb861285114275ac9d9ec5d0c1420d

SHA256
2d9a88ad937dd1a83a05a7fe31931baadda47ac31288132c43de17646e875cf2

SHA512
26c0ea3c53fbddcc0625ec52607b1582ae275865db3346972932cb29f8b3a166ea3cb94a28d627881ac4153f4f7c898ebc353e37fe6574237491119b5f371a44

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
295c04ecec1b9b207b7202676f5f2445

SHA1
92ee3f11a89f27e94260fe21152ff9091cbb709c

SHA256
ef1605d5e6d341a3a76e36ab6ff3ce5efeb4aeb5660eb70211913f668c17f062

SHA512
bbb529608de54f30a5b5f4a0f097d2298db92f5ad0aedb68bfd191e4ed9a104864afeafee2f7db5953d82298b039a64b2f103b062ad45de3682069520df205eb

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
295c04ecec1b9b207b7202676f5f2445

SHA1
92ee3f11a89f27e94260fe21152ff9091cbb709c

SHA256
ef1605d5e6d341a3a76e36ab6ff3ce5efeb4aeb5660eb70211913f668c17f062

SHA512
bbb529608de54f30a5b5f4a0f097d2298db92f5ad0aedb68bfd191e4ed9a104864afeafee2f7db5953d82298b039a64b2f103b062ad45de3682069520df205eb

Download Submit
C:\Windows\uninstall\rundl132.exe

Filesize
93KB

MD5
295c04ecec1b9b207b7202676f5f2445

SHA1
92ee3f11a89f27e94260fe21152ff9091cbb709c

SHA256
ef1605d5e6d341a3a76e36ab6ff3ce5efeb4aeb5660eb70211913f668c17f062

SHA512
bbb529608de54f30a5b5f4a0f097d2298db92f5ad0aedb68bfd191e4ed9a104864afeafee2f7db5953d82298b039a64b2f103b062ad45de3682069520df205eb

Download Submit