57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32

General

Target

57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
Size

717KB
MD5

ef8f03c5889898be3b313c3c0c92536f
SHA1

3a06ae848105787640256521c1c52e745d819ada
SHA256

57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32
SHA512

ca093fc94c3a1ec3099d9c2abe1b6760c2b087fa202176486c92680377b5a040eb684f271d97b8ffa18b6babf8b44ec58f070ea401080be9578fa7eb89b64ea8
SSDEEP

12288:h+aGfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:hBaLOS2opPIXV

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2524 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exeExplorer.EXE

pid process

1168 Logo1_.exe
2500 57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1172 Explorer.EXE
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2524 cmd.exe
2524 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2524	cmd.exe

pid	process
1168	Logo1_.exe
2500	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1172	Explorer.EXE

pid	process
2524	cmd.exe
2524	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exeLogo1_.exe

pid	process
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe
1168	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1948 wrote to memory of 2036	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	net.exe
PID 1948 wrote to memory of 2036	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	net.exe
PID 1948 wrote to memory of 2036	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	net.exe
PID 1948 wrote to memory of 2036	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	net.exe
PID 2036 wrote to memory of 2668	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2668	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2668	2036	net.exe	net1.exe
PID 2036 wrote to memory of 2668	2036	net.exe	net1.exe
PID 1948 wrote to memory of 2524	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	cmd.exe
PID 1948 wrote to memory of 2524	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	cmd.exe
PID 1948 wrote to memory of 2524	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	cmd.exe
PID 1948 wrote to memory of 2524	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	cmd.exe
PID 1948 wrote to memory of 1168	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	Logo1_.exe
PID 1948 wrote to memory of 1168	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	Logo1_.exe
PID 1948 wrote to memory of 1168	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	Logo1_.exe
PID 1948 wrote to memory of 1168	1948	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe	Logo1_.exe
PID 1168 wrote to memory of 2536	1168	Logo1_.exe	net.exe
PID 1168 wrote to memory of 2536	1168	Logo1_.exe	net.exe
PID 1168 wrote to memory of 2536	1168	Logo1_.exe	net.exe
PID 1168 wrote to memory of 2536	1168	Logo1_.exe	net.exe
PID 2536 wrote to memory of 2800	2536	net.exe	net1.exe
PID 2536 wrote to memory of 2800	2536	net.exe	net1.exe
PID 2536 wrote to memory of 2800	2536	net.exe	net1.exe
PID 2536 wrote to memory of 2800	2536	net.exe	net1.exe
PID 2524 wrote to memory of 2500	2524	cmd.exe	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
PID 2524 wrote to memory of 2500	2524	cmd.exe	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
PID 2524 wrote to memory of 2500	2524	cmd.exe	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
PID 2524 wrote to memory of 2500	2524	cmd.exe	57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
PID 1168 wrote to memory of 2432	1168	Logo1_.exe	net.exe
PID 1168 wrote to memory of 2432	1168	Logo1_.exe	net.exe
PID 1168 wrote to memory of 2432	1168	Logo1_.exe	net.exe
PID 1168 wrote to memory of 2432	1168	Logo1_.exe	net.exe
PID 2432 wrote to memory of 2556	2432	net.exe	net1.exe
PID 2432 wrote to memory of 2556	2432	net.exe	net1.exe
PID 2432 wrote to memory of 2556	2432	net.exe	net1.exe
PID 2432 wrote to memory of 2556	2432	net.exe	net1.exe
PID 1168 wrote to memory of 1172	1168	Logo1_.exe	Explorer.EXE
PID 1168 wrote to memory of 1172	1168	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
"C:\Users\Admin\AppData\Local\Temp\57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a27BC.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe
"C:\Users\Admin\AppData\Local\Temp\57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe"
4⤵
- Executes dropped EXE
PID:2500

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2800

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2556

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
477KB

MD5
c6c3f9890c41439a4dfc9fd4bec7b0bd

SHA1
f5c4a05f34d1a08abf73514f5b3ddcedc704f2f0

SHA256
462f333d5748c1a756e2565a2d76f89c9fdafb8d2fa62a83c60e4f70d0da2f92

SHA512
69212e26a76e5e67e2b1337bfd97ad766293d6c0093ce0d8ef5fa768cd002094d9de936620a479bb474e27ff359b08d751ccfe37b9a15824f39b548596a9098a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a27BC.bat
Filesize
722B

MD5
e928bde956455f6f1ca27619c5dc6487

SHA1
869d5574acdd8b82daaa4891e1002680ad1a0d21

SHA256
dab5735e591ad80fa6d48aed2bd8f8e17ccf9d68e785a8a5c80aec90bc10905c

SHA512
f5a70b6ba95354783f77bfd1370322b7ab3163aafec9026ab4b904448e11d66a237fc3debd880846d9cfe7aaa3f5b680f503a538c25ecfa1b15541e6da7a95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\57ce7c1ae7481d8e9e55b87fefd55125dfc2218d08f6076bb987fd50572e9a32.exe.exe
Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
90af05e3cb7c1f99e93cf30628c6ff6b

SHA1
78f626957a968034343f4a6b8ebe3fd9169fe383

SHA256
f9db023feaf3209cb67c9e4871d64ca281d11b93b1ba7a4914dd1b084801d62b

SHA512
4b3b569b9983d6d01880e31724803db3880594e10a99bf0ee04f6ec8e7d84c9572c618419678298d4bbf31c4c7fc0ca68dfa7235d3889200a89ced2afabb70bd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
Filesize
9B

MD5
7d02194d5f21d1288ee3e3f595122aba

SHA1
68e51fcc75148bf51da5ad67c7137b85946fc393

SHA256
a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

SHA512
b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

Download Submit
memory/1168-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-3319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-4143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-29-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1948-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads