cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/09/2023, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
Size

478KB
MD5

ebd7225ca6d2671c11276e57b4b98968
SHA1

f15a6567337e16fa539e483bec4f422c1931614b
SHA256

cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c
SHA512

1a4334c7779ac3f7765ebd38bde9c80203e4b63a2f9fbb53aace6fbc8904f92eed38592ec8fc8cfd1eb9d51dfa1b2d74f23efe2a58a75d8d64f418f3a695bce0
SSDEEP

12288:oUMHdZc0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVzy:JMHxMYenGJiKEbXWtfOkUy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2800	Logo1_.exe
2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2344	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Loads dropped DLL 3 IoCs

pid	Process
2768	cmd.exe
2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2344	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
File created	C:\Windows\Logo1_.exe	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe
2800	Logo1_.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2008	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	28
PID 2480 wrote to memory of 2008	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	28
PID 2480 wrote to memory of 2008	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	28
PID 2480 wrote to memory of 2008	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	28
PID 2008 wrote to memory of 1640	2008	net.exe	30
PID 2008 wrote to memory of 1640	2008	net.exe	30
PID 2008 wrote to memory of 1640	2008	net.exe	30
PID 2008 wrote to memory of 1640	2008	net.exe	30
PID 2480 wrote to memory of 2768	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	31
PID 2480 wrote to memory of 2768	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	31
PID 2480 wrote to memory of 2768	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	31
PID 2480 wrote to memory of 2768	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	31
PID 2480 wrote to memory of 2800	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	33
PID 2480 wrote to memory of 2800	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	33
PID 2480 wrote to memory of 2800	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	33
PID 2480 wrote to memory of 2800	2480	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	33
PID 2800 wrote to memory of 2648	2800	Logo1_.exe	35
PID 2800 wrote to memory of 2648	2800	Logo1_.exe	35
PID 2800 wrote to memory of 2648	2800	Logo1_.exe	35
PID 2800 wrote to memory of 2648	2800	Logo1_.exe	35
PID 2648 wrote to memory of 2676	2648	net.exe	36
PID 2648 wrote to memory of 2676	2648	net.exe	36
PID 2648 wrote to memory of 2676	2648	net.exe	36
PID 2648 wrote to memory of 2676	2648	net.exe	36
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2768 wrote to memory of 2764	2768	cmd.exe	37
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2764 wrote to memory of 2344	2764	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	38
PID 2800 wrote to memory of 2636	2800	Logo1_.exe	39
PID 2800 wrote to memory of 2636	2800	Logo1_.exe	39
PID 2800 wrote to memory of 2636	2800	Logo1_.exe	39
PID 2800 wrote to memory of 2636	2800	Logo1_.exe	39
PID 2636 wrote to memory of 2248	2636	net.exe	41
PID 2636 wrote to memory of 2248	2636	net.exe	41
PID 2636 wrote to memory of 2248	2636	net.exe	41
PID 2636 wrote to memory of 2248	2636	net.exe	41
PID 2800 wrote to memory of 1280	2800	Logo1_.exe	21
PID 2800 wrote to memory of 1280	2800	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
  "C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4569.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
      "C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe" -burn.unelevated BurnPipe.{251234C5-0091-4603-998A-7EE9F3898ED4} {EC0398E9-F061-47A0-BD6D-4239C697E6D7} 2764
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2344
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2676
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
4da1ac2c4f32700517b93712898b036c

SHA1
3f699f656e034a611355c4435358d3144fdf97cc

SHA256
3c9d714a593981994a9ad2c8c88b495ef3c1e3b89ae8c5a29d1f7240e178f069

SHA512
8c7c84dc64ccbf3bf6111ad92c05eed1283d6379c89528001ca8be56f6d13bc7e1e573f9aa72e3fa2f4bf53e4b98f243807a0201d801a57238276d5b211c9be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4569.bat

Filesize
722B

MD5
d9d45378d94dd3ad060adda8a522034f

SHA1
64ed539b818f74ad747e96fd1506893922c8c295

SHA256
9cbecd0d1368f91aeb63849163701d765890179422d004c8ed8a3687fa5c06d2

SHA512
f4c288f3053ba2b578e370601418914ba71faa653cc6087cf227811b521c6a9091db3c224cfee3a3bb98fba10dc18f67c9441694ec2da40fcfcb5e4b5441061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4569.bat

Filesize
722B

MD5
d9d45378d94dd3ad060adda8a522034f

SHA1
64ed539b818f74ad747e96fd1506893922c8c295

SHA256
9cbecd0d1368f91aeb63849163701d765890179422d004c8ed8a3687fa5c06d2

SHA512
f4c288f3053ba2b578e370601418914ba71faa653cc6087cf227811b521c6a9091db3c224cfee3a3bb98fba10dc18f67c9441694ec2da40fcfcb5e4b5441061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3750544865-3773649541-1858556521-1000\_desktop.ini

Filesize
8B

MD5
587438ba3214d6958f23eced1b2cd39c

SHA1
56d9150b977089419b026aaf6ee032981c437dfd

SHA256
4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

SHA512
31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

Download Submit
\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
memory/1280-45-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2480-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2480-16-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/2480-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-49-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-1641-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-3953-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-4070-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download