metasploit | f00978e8456694b3548f25dde8b524ce6e4b0975494849cc35b88ada3f461111

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 19:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa52d2b35d0a5669a54193a76d9fe9e1.exe
Size

1.7MB
MD5

aa52d2b35d0a5669a54193a76d9fe9e1
SHA1

0ba13b228b47c078f172bcac4355aa72a43a80e5
SHA256

f00978e8456694b3548f25dde8b524ce6e4b0975494849cc35b88ada3f461111
SHA512

ec8f8f98dd34605c5a9bfa1ba6413531fa7d21f9136da1687581adfd8c839ae12dd077867efde4e5d89ab8687eeca345ad72701567fc9f79a1daca9ff920cc80
SSDEEP

49152:IdYddVDK5hUOMQKk1Er1E8dYdQTEdYdknvKZvB4VJZreDVJZre2:NVDQgFOPnvip4VzAVzx

Score

10^/10

metasploit backdoor evasion persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msn_kilo.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msn_kilo.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	msn_kilo.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\System\msn_kilo.exe = "C:\\Program Files (x86)\\Common Files\\System\\msn_kilo.exe:*:Enabled:WindowsSystem32"	msn_kilo.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	aa52d2b35d0a5669a54193a76d9fe9e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	l33t.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	gf.exe

Executes dropped EXE 12 IoCs

pid	Process
4256	WinInet.exe
2180	WinInet.exe
1968	msn_kilo.exe
4572	msn_kilo.exe
944	em.exe
4640	em.exe
4488	emo.exe
2012	emo.exe
4484	l33t.exe
1388	explorer.exe
3452	gf.exe
2664	explorer.exe

Loads dropped DLL 4 IoCs

pid	Process
4256	WinInet.exe
1968	msn_kilo.exe
944	em.exe
4488	emo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsSystem32 = "C:\\Program Files (x86)\\Common Files\\System\\msn_kilo.exe"	msn_kilo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\kernel23.dll	WinInet.exe
File created	C:\WINDOWS\SysWOW64\kernel23.dll	WinInet.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 2180	4256	WinInet.exe	93
PID 1968 set thread context of 4572	1968	msn_kilo.exe	95
PID 944 set thread context of 4640	944	em.exe	97
PID 4488 set thread context of 2012	4488	emo.exe	99

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\msn_kilo.exe	WinInet.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msn_kilo.exe	msn_kilo.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	msn_kilo.exe
File created	C:\Program Files (x86)\Common Files\System\msn_kilo.exe	msn_kilo.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msn_kilo.exe	msn_kilo.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	WinInet.exe
File created	C:\Program Files (x86)\Common Files\System\msn_kilo.exe	WinInet.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinInet.exe	WinInet.exe
File opened for modification	C:\Windows\emo.exe	aa52d2b35d0a5669a54193a76d9fe9e1.exe
File opened for modification	C:\Windows\em.exe	em.exe
File opened for modification	C:\Windows\l33t.exe	aa52d2b35d0a5669a54193a76d9fe9e1.exe
File opened for modification	C:\Windows\emo.exe	emo.exe
File opened for modification	C:\Windows\gf.exe	aa52d2b35d0a5669a54193a76d9fe9e1.exe
File opened for modification	C:\Windows\WinInet.exe	aa52d2b35d0a5669a54193a76d9fe9e1.exe
File opened for modification	C:\Windows\em.exe	aa52d2b35d0a5669a54193a76d9fe9e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe
4256	WinInet.exe
1968	msn_kilo.exe
944	em.exe
4488	emo.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4256	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	92
PID 2184 wrote to memory of 4256	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	92
PID 2184 wrote to memory of 4256	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	92
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 4256 wrote to memory of 2180	4256	WinInet.exe	93
PID 2180 wrote to memory of 1968	2180	WinInet.exe	96
PID 2180 wrote to memory of 1968	2180	WinInet.exe	96
PID 2180 wrote to memory of 1968	2180	WinInet.exe	96
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 1968 wrote to memory of 4572	1968	msn_kilo.exe	95
PID 2184 wrote to memory of 944	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	98
PID 2184 wrote to memory of 944	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	98
PID 2184 wrote to memory of 944	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	98
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 944 wrote to memory of 4640	944	em.exe	97
PID 2184 wrote to memory of 4488	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	100
PID 2184 wrote to memory of 4488	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	100
PID 2184 wrote to memory of 4488	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	100
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 4488 wrote to memory of 2012	4488	emo.exe	99
PID 2184 wrote to memory of 4484	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	101
PID 2184 wrote to memory of 4484	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	101
PID 4484 wrote to memory of 1388	4484	l33t.exe	102
PID 4484 wrote to memory of 1388	4484	l33t.exe	102
PID 4484 wrote to memory of 1388	4484	l33t.exe	102
PID 2184 wrote to memory of 3452	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	103
PID 2184 wrote to memory of 3452	2184	aa52d2b35d0a5669a54193a76d9fe9e1.exe	103
PID 3452 wrote to memory of 2664	3452	gf.exe	104
PID 3452 wrote to memory of 2664	3452	gf.exe	104
PID 3452 wrote to memory of 2664	3452	gf.exe	104

C:\Users\Admin\AppData\Local\Temp\aa52d2b35d0a5669a54193a76d9fe9e1.exe
"C:\Users\Admin\AppData\Local\Temp\aa52d2b35d0a5669a54193a76d9fe9e1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\WinInet.exe
  "C:\Windows\WinInet.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\WinInet.exe
    C:\Windows\WinInet.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Program Files (x86)\Common Files\System\msn_kilo.exe
      "C:\Program Files (x86)\Common Files\System\msn_kilo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1968
- C:\Windows\em.exe
  "C:\Windows\em.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- C:\Windows\emo.exe
  "C:\Windows\emo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4488
- C:\Windows\l33t.exe
  "C:\Windows\l33t.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:1388
- C:\Windows\gf.exe
  "C:\Windows\gf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:2664

C:\Program Files (x86)\Common Files\System\msn_kilo.exe
"C:\Program Files (x86)\Common Files\System\msn_kilo.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4572

C:\Windows\em.exe
C:\Windows\em.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\emo.exe
C:\Windows\emo.exe
1⤵
- Executes dropped EXE
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\msn_kilo.exe

Filesize
324KB

MD5
b8db720333fb7fd07852c2da19612c90

SHA1
15c79abaf400ea0a3edee1518c6bab28b7be444b

SHA256
e45c5797d8a466ed1c85e9828593a2c872fd90eab1af7d1a98898e3fba856f5b

SHA512
3caa33ca14115674e31d4d5f805bbf251bb956006e4399209a139d10e9df2bb7d82513c5bb33387be1e69ab9adfd02cbde9e834ee50bc0a61f586ddcffe176b7

Download Submit
C:\Program Files (x86)\Common Files\System\msn_kilo.exe

Filesize
407KB

MD5
93eca1fefc79e187c8e93c7d0b02e08a

SHA1
fa306584b76fb4ec2e36f47fc9d596a23e4b5e8f

SHA256
c0121177bb8e342f6d11ff759d4279212f060b459b45685ee269bc4c4fd31249

SHA512
4e4916cb74fccfe90ef95e97f7ca301d2392d4c7fa479a937dee213992ac91d531b2f5023e3bf4830ed8489dea5d7bde5783ab42700f5622fbb89b9472bc588e

Download Submit
C:\Program Files (x86)\Common Files\System\msn_kilo.exe

Filesize
312KB

MD5
ada87a5742b3c72b758d2badad1a423c

SHA1
834a8d8ca2b36ee7a1f9de46045b7ea7d06b7be7

SHA256
25f09dcbd4c627d66289af56553903bd24e3872354e9711949fd3829c8fe8902

SHA512
9b8dc2c6f6174b3f79ce17fdc738e919110a8bf855215e9dcf283739376719a5908ca7c9f15d43bdf6754a68561935604386c4b1f868b462b7f0422e18d2b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
74KB

MD5
8b07e4eb224a264790f2f51513d4810a

SHA1
2109ed97528af5c069a42ca42c0ccf1c3b4ffde7

SHA256
274273225883f642a2fca3c10b2df968c4c407569a08ec9c6d36519db5beedee

SHA512
bd76efebc5724d5b9ffdb919da73795de05818005c7e31b66c2d7a3e846704d3366d78762f9c8b67d10acd192a55c501314b819360dc56ac3f2202d10133ff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
68KB

MD5
d250fc7cba7d55e768d3b4aa8fcbd4c9

SHA1
0df322eb79eb65c40b6736340a3f1138bf9bd7f5

SHA256
6678ab447170a6e259709561655a6524aa5abae2624ac938c82208d233e5b89d

SHA512
717379bb3a33b06febb758025b7c4e3f7d88a361fd3b27e0953a08edbc746a727949ccdd07f097ad70638374896b705051bc3477e7f445414fd3e1ad63e9180f

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1KB

MD5
3a56875c1aeadcc4ca93ebbda44683e2

SHA1
3ba0808daf2deb24da67d501697f906c442fa7a3

SHA256
a87f222692576700ee5b2d129e86406601e18f59c0603ea1ae7f23187d1b9d43

SHA512
cb725657977c340200b4c1142e3b353bd8218c4e0a32483e8a12e110dd20b8c0e666a06b503e6484fb6adda2e7924d28d15a405857ec97df21c80ae31765b727

Download Submit
C:\Windows\SysWOW64\kernel23.DLL

Filesize
387KB

MD5
7427717783a03a9f2c10fe5fb09c972f

SHA1
2a74b66d462dd193ce16abdfddc9f3c44eb28632

SHA256
3ff1e6238191f49a3f3f5584471daaf8aed3707b4bd56b0a44ad48ebfde6051d

SHA512
a271dbb9c25657e967c1a26a58ad20ebd1bda5414d311d88a5cd35a44b7bc879c6ee185533e0fdac8c5682ebef09336aa970c6b904957acefcb26685ee57ee73

Download Submit
C:\Windows\SysWOW64\kernel23.dll

Filesize
312KB

MD5
9e81a4c2271f4091910887bba37765e4

SHA1
56ebc6675ac5278e17532c2487d2bcb8d7cfa6d8

SHA256
b307f990145e4e368027f209758bc47ca1599012ddf522df9feccb3aae80f1b8

SHA512
0d3b3ee131797e5a888c4207abeb4a655eee58f2e4c14aee73b127af5dadb9656efe774912e075c2941ce5bae1e3f8b9c92d3be98c1d2e578c160fc2d6e50912

Download Submit
C:\Windows\SysWOW64\kernel23.dll

Filesize
258KB

MD5
c1ba36f83b57b9b67e4c038d8b55db66

SHA1
819d986d87a18a042d658194f9c8116ad0e6e389

SHA256
2954f6802ce14b1c410d450c7238f350cf15d442b22ee98be67b18db7fba3fe0

SHA512
b3bde40c459963126bf7b2103607b27bad3aab8a1d0fcde6f4133294ed52d9527fe14646e61953bd3542bb2357eea5a497e2ab183354d6a3cc7a2fac72a572e6

Download Submit
C:\Windows\SysWOW64\kernel23.dll

Filesize
208KB

MD5
0d658bcf764b202d691007fd72c05521

SHA1
36bc4c0dba4dc12e22fee044c37e92e1ec8392ad

SHA256
de91a42c76b4b9098e0b4f2dee23b42d4fce7c75d80903c577e0f774c5689ae8

SHA512
52f98136c0e9b51a8677480a7369b266aeee9e6d3da67fb97e488a698585ae698359867547cdac735615882d254e0a6d8f380a73561c23dcb25011e708b9bea7

Download Submit
C:\Windows\SysWOW64\kernel23.dll

Filesize
131KB

MD5
a3d2a53f9344ba0e76e8b3ce7ee08e31

SHA1
ba734cf8edc573da900fb05c80df52c6e518a427

SHA256
78a6294679b7bc9134377fe431f9cb6412ecc3b572256021f82754dfc165aaac

SHA512
534b1527f1efe5d8f812b40d7d68da09f7434d2129e756e5c723e9b4389928759f19d121254bb0cf94ac3858b5646e6c266c7ba596973f9e2c5b4dff0e1f29f4

Download Submit
C:\Windows\WinInet.exe

Filesize
332KB

MD5
d39a0269887eecdddeefe9eab1bd3c22

SHA1
f97f15b5d7b776d08ef419c7e0d6a9812650a9b1

SHA256
0e86e6275625693fb2f21ca252b79cb1b300cc3aa30e1b895ae54f57b3414330

SHA512
de5d95b7f11af4d6f45b1986d2cb368a6a6816799123f4fca6a5d82f2cc008559601106de9901e2c5c5137450693bd4eebd8075a6d0fe3701b3563f6a82bb734

Download Submit
C:\Windows\WinInet.exe

Filesize
394KB

MD5
d37385669dcf8ef3703010fb4401cd08

SHA1
e1c289d43d8219a2a19830f98b38ecd6d6a98d38

SHA256
5b8c4bebc539b32342720dbc388815a854c0029ba069f1042a63a4d89e37a8c9

SHA512
1058998a2adf53bb84ac882d07f0d27f41db484ab6bb7de0bd1306831ceef5b96d3ab6c0dcbcd04bb8bb1901a3619d9d7dda6c399ee347dbc7066a73acee3d7b

Download Submit
C:\Windows\WinInet.exe

Filesize
318KB

MD5
23cfcea98274180b95ac15f295505ca2

SHA1
7c8e4bcb4e3b05365122874adbf469e66e4b960a

SHA256
47609a8e3dcae8f5c559e58677c07473b2c3a0ab701c557862f92c1da8edc601

SHA512
4588022517644b96fe69925156ec8958e67b2c1e472b91be1ed2c8bc7ffad1bfa8147dcd04afae5d825c14c86a4bdadaf126ba717a1b9f4b1243c17af0c2e189

Download Submit
C:\Windows\WinInet.exe

Filesize
711KB

MD5
26bfa7affd98f30665ee1f40a3dfb1c8

SHA1
7ad71a62989a45c3bd31daa4561fa1280b85ca12

SHA256
13e702af9f89c03357ec3b51a553d48a7b428703a629a82c123b1c0f620861a6

SHA512
8e54677d026f025fa514010ee65faa7ec0f7e1d4306c75d2b66a752720e1a6d0f03b981289d599479f8d0c82f535808eafba31e537b25e16dff54a5753395ae9

Download Submit
C:\Windows\em.exe

Filesize
185KB

MD5
aaff4eff1db9b53232319a1d59e50ad8

SHA1
fe139d84265927460c99a3c85b5aa1307e96522e

SHA256
2b29b3be908a0e588e2c3d79806dc92ef29c0b3f6a81393a6b202786bde0317d

SHA512
38a1a800af6e43a99eea829e91ce95dc73062f2655cf8dccb7e358f198d5fcf89c8993209375491e4c422e09ae0679b1322864483e70bc9f095111478944c2dc

Download Submit
C:\Windows\em.exe

Filesize
14KB

MD5
d46b29f1852d06377c9aea63b78d166e

SHA1
690ea5cbfb3146dd7ef9b9dde704d80f7533a3b6

SHA256
23c4fabb0ebbe0c9894b3503d160ef151734cabfecf5d5634df846d6b663a821

SHA512
84f1f6f0d2648bae3d341be27e1f980198e2f15532006399c8b5b5aecab9b5f543fdf05011fb8c814bb94160ed9c81919bc7da98834a9f877bc9223411b6f6ce

Download Submit
C:\Windows\em.exe

Filesize
7KB

MD5
90aa103f31d4dac6e99fff72debeb0a7

SHA1
113ccc060aa84c5d42c3e23c6ffdbc46b23abe2a

SHA256
d11e3e2c4db0d29a3b05961eef9923de86fd1a63b7652775a2cd2e1853cf3b0c

SHA512
01edd80e5288b5b301af7d4497a6ca6a0684dd6a4af3d95957c298d307a5d6b6e52578a5778895c6303bec6ea7cae452f682c8817a2acd6abb696a9cedfad00f

Download Submit
C:\Windows\emo.exe

Filesize
144KB

MD5
e5bc6a3f37c2bc581380e3fe6e667417

SHA1
8b42f6a2ade1dcd48f77f7e47135967f1f83248e

SHA256
5dcd8204465591fe4d62c5c57b6362c8c2fa319f045cc509b2fa60036bf6405b

SHA512
cac610da3306e1668eeaa2f33c02cd5780fab70b612c152e9aae3dde74579814103faa0be60eac63266f96f98bb563d3a9c3da8221e637189adf07f3935e85f1

Download Submit
C:\Windows\emo.exe

Filesize
110KB

MD5
ea0bfb6be9e0f89fe4b78fe59627c4e7

SHA1
8fbfc851173a93613381af6a657d77dadeea6eca

SHA256
3f7527c8f75a0a207c054c1b00659f1b5a19e752fe8de29f7a126cb563b99d55

SHA512
46dfe297e2adc742318ccdf39f1b52300ceab5a6a87aee2d7bae8c82aae349094ae02859bfb1c5bf44124fe56c37350f34efabb30702d3d8c0e6ec8288267388

Download Submit
C:\Windows\emo.exe

Filesize
80KB

MD5
31bf74d26f9987c625f6ab630f207538

SHA1
f7f3ed068fcd2d9d89073dfa3d00429e9f6384f5

SHA256
634801bc622679d81ca64ddfa2329e273c7aa850344be6564772eef442f08bb8

SHA512
184b55440ccc0d4b6474ee317956f5689406b02c3f7632d4b81604d7d65e937f221118442d5b187366e4d3c47e1b2300f3a3adf48464ce889428f0990a9f33db

Download Submit
C:\Windows\emo.exe

Filesize
85KB

MD5
abb1c9f34d769c45f3edecd8872afef4

SHA1
f80e0ca643302800b0147510baa8569318a77dc9

SHA256
4e821f18b85bce113af544331598b07453124a707638bb083b9b5e83c513ce6c

SHA512
4df456ba1bfd9408b37a4fb96ebc8641ca3ffd9daaeb8d2af3ebc5f89942cfb9c0180e2ef8b85f050aa8ab7eb06908b77f5363b0a4919a6d367b81a412c18c49

Download Submit
C:\Windows\gf.exe

Filesize
46KB

MD5
d8db8b8d015a041c73428dffe09932cc

SHA1
c1013a58309a20fd2769572ad075da058628b0be

SHA256
0f2f6a952b7d69d92f9cd6695838b5232f0ff6c7c94081bb16dc21564d58dc3b

SHA512
3994379b788ed0e4059040a08fbf27d5632849aa3a0b764c4f71ef8d41c65ffabc55b63cf33ade1a585d426f715a6b1c06b4fb4df4c00ffcd33f4546ff52d5d5

Download Submit
C:\Windows\gf.exe

Filesize
106KB

MD5
dc9f8dadc618e64a6afff97aed95a441

SHA1
257284743663756ad7feb811475fb0ac70b9848e

SHA256
f8789e77915359588e3a4bfe480ab03a804495ce2344f085e51b97584d4d678e

SHA512
877a41bfeeba1f505fc732ed0d56648b30bf9c603a21dd0c21214d18852ac7bc6b7f89004d1b62e81cb325ffee771d4321fdb835729aeaa050dc4933557ae1f1

Download Submit
C:\Windows\gf.exe

Filesize
137KB

MD5
96ea702a7728ad0390f8d35230e04ef0

SHA1
02ec193a083cd3b9d7e376b7c23c0eb12abb35a8

SHA256
85ed8d79ee60c4a1f9bf89825c6c432fc575cd54ff414e5f32cb4d3bdc94d1a8

SHA512
fe303e830f5cbbff6bbef5f1a2b964b5e4de28ef0bf03c8b01fabacef9e9011638318b7ad657eeb20dbb86aaa2243e7b901f37d8df55a50b823c6f77341e3f39

Download Submit
C:\Windows\l33t.exe

Filesize
126KB

MD5
332fef24a1a45a7ea97e1b12c4e7f2c9

SHA1
c67f823fb0ff983bf5ee16a8429fb26559ff40ea

SHA256
3a67c659e3709d983e4a0b5851c8e66a6d987d12ae55be63930737ccf3862ec4

SHA512
b3337a43bb1e496f163c9b6380cc77b387b59940bd19bae99e4c04e3738e95bdb5933c8c43c5bd7b9c620c74719a541372b8afa48dcb1318cf39cda54f518f28

Download Submit
memory/2012-95-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2012-90-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2012-89-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2012-92-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2012-91-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2180-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-51-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3452-143-0x00007FFED9FB0000-0x00007FFEDA951000-memory.dmp

Filesize
9.6MB

Download
memory/3452-140-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3452-137-0x00007FFED9FB0000-0x00007FFEDA951000-memory.dmp

Filesize
9.6MB

Download
memory/3452-139-0x00007FFED9FB0000-0x00007FFEDA951000-memory.dmp

Filesize
9.6MB

Download
memory/3452-138-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/4484-111-0x00007FFED9FB0000-0x00007FFEDA951000-memory.dmp

Filesize
9.6MB

Download
memory/4484-112-0x000000001BA00000-0x000000001BECE000-memory.dmp

Filesize
4.8MB

Download
memory/4484-116-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/4484-110-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/4484-114-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/4484-126-0x00007FFED9FB0000-0x00007FFEDA951000-memory.dmp

Filesize
9.6MB

Download
memory/4484-115-0x000000001C130000-0x000000001C17C000-memory.dmp

Filesize
304KB

Download
memory/4484-108-0x000000001B480000-0x000000001B526000-memory.dmp

Filesize
664KB

Download
memory/4484-113-0x000000001BFD0000-0x000000001C06C000-memory.dmp

Filesize
624KB

Download
memory/4484-109-0x00007FFED9FB0000-0x00007FFEDA951000-memory.dmp

Filesize
9.6MB

Download
memory/4572-144-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4640-67-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4640-73-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4640-70-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4640-69-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4640-68-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads