440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba

General

Target

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
Size

169KB
MD5

027df46b9411263717ef91b5e8608820
SHA1

bdafedaed9c6ab83ec739f98bf638e80b555294a
SHA256

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba
SHA512

82f2d347b0b1129f15749e05abd83604a231f35aef288c42b8fd15a12b28c9c36c024346b4bcc0b6fc0a63e59dbca56644e722b1910616ab920fe27142d8ef73
SSDEEP

3072:IVe+aX3zveyNIxq/iVo/MfafRUwFYC5TBf/2Fa9Y3zQOwNnYcVBPPy6t:5+aX3LVOx7Vo/Ms5TB6MCzQOwNnYcHKc

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

pid process

1468 Logo1_.exe
1444 440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

568 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

568 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1468	Logo1_.exe
1444	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

pid	process
568	cmd.exe

pid	process
568	cmd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
File created	C:\Windows\Logo1_.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exeLogo1_.exe

pid	process
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe
1468	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 992 wrote to memory of 928	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 992 wrote to memory of 928	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 992 wrote to memory of 928	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 992 wrote to memory of 928	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 928 wrote to memory of 1980	928	net.exe	net1.exe
PID 928 wrote to memory of 1980	928	net.exe	net1.exe
PID 928 wrote to memory of 1980	928	net.exe	net1.exe
PID 928 wrote to memory of 1980	928	net.exe	net1.exe
PID 992 wrote to memory of 568	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 992 wrote to memory of 568	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 992 wrote to memory of 568	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 992 wrote to memory of 568	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 992 wrote to memory of 1468	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 992 wrote to memory of 1468	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 992 wrote to memory of 1468	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 992 wrote to memory of 1468	992	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 1468 wrote to memory of 344	1468	Logo1_.exe	net.exe
PID 1468 wrote to memory of 344	1468	Logo1_.exe	net.exe
PID 1468 wrote to memory of 344	1468	Logo1_.exe	net.exe
PID 1468 wrote to memory of 344	1468	Logo1_.exe	net.exe
PID 344 wrote to memory of 684	344	net.exe	net1.exe
PID 344 wrote to memory of 684	344	net.exe	net1.exe
PID 344 wrote to memory of 684	344	net.exe	net1.exe
PID 344 wrote to memory of 684	344	net.exe	net1.exe
PID 568 wrote to memory of 1444	568	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 568 wrote to memory of 1444	568	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 568 wrote to memory of 1444	568	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 568 wrote to memory of 1444	568	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 1468 wrote to memory of 536	1468	Logo1_.exe	net.exe
PID 1468 wrote to memory of 536	1468	Logo1_.exe	net.exe
PID 1468 wrote to memory of 536	1468	Logo1_.exe	net.exe
PID 1468 wrote to memory of 536	1468	Logo1_.exe	net.exe
PID 536 wrote to memory of 1608	536	net.exe	net1.exe
PID 536 wrote to memory of 1608	536	net.exe	net1.exe
PID 536 wrote to memory of 1608	536	net.exe	net1.exe
PID 536 wrote to memory of 1608	536	net.exe	net1.exe
PID 1468 wrote to memory of 1396	1468	Logo1_.exe	Explorer.EXE
PID 1468 wrote to memory of 1396	1468	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
"C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2656.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
"C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe"
4⤵
- Executes dropped EXE
PID:1444

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:684

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a2656.bat

Filesize
722B

MD5
a61922067c2a9ed082a2dd2aab752b11

SHA1
6c8cd56bca5d8156eb9abe08935381138645c176

SHA256
0bb4dd885818215a29e879886822f159d062156a9fdcae1446253cbfd90105bb

SHA512
fdde04db213a684e4dd611ba21974bbc2d795a6ff9b5440fdc0d42d9c77c4e41d797b29dabb42f8ea4f25b52bacbf60811c3652f4e9b527c035ec873c76eec1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

Filesize
135KB

MD5
41b81620620326b1839a9da43f343cdf

SHA1
6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

SHA256
1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

SHA512
6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe.exe

Filesize
135KB

MD5
41b81620620326b1839a9da43f343cdf

SHA1
6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

SHA256
1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

SHA512
6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1f5204f508b53f2c6c29023102ece203

SHA1
02bce63bdf6c0c9e7730327bade2ba4800dd8598

SHA256
29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

SHA512
b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1f5204f508b53f2c6c29023102ece203

SHA1
02bce63bdf6c0c9e7730327bade2ba4800dd8598

SHA256
29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

SHA512
b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
1f5204f508b53f2c6c29023102ece203

SHA1
02bce63bdf6c0c9e7730327bade2ba4800dd8598

SHA256
29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

SHA512
b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

Download Submit
\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

Filesize
135KB

MD5
41b81620620326b1839a9da43f343cdf

SHA1
6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

SHA256
1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

SHA512
6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

Download Submit
memory/344-62-0x0000000000000000-mapping.dmp

Download
memory/536-72-0x0000000000000000-mapping.dmp

Download
memory/568-57-0x0000000000000000-mapping.dmp

Download
memory/684-65-0x0000000000000000-mapping.dmp

Download
memory/928-54-0x0000000000000000-mapping.dmp

Download
memory/992-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/992-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1444-67-0x0000000000000000-mapping.dmp

Download
memory/1444-69-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1468-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-58-0x0000000000000000-mapping.dmp

Download
memory/1468-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1608-73-0x0000000000000000-mapping.dmp

Download
memory/1980-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads