537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479

General

Target

537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
Size

47KB
MD5

71ee47f249e24c195d23e02d30915fb1
SHA1

cee911d55fafa45f87cd0784912ba2d376921b9b
SHA256

537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479
SHA512

9110164c92b8188e48dbaf92dda7a78e9bca618fa94a7436c3b4a4a5ae43c87af54b49f223a010d7d5db7049951ae4fb832ec2c6d511c9c470f6a0e308cc96f4
SSDEEP

768:/IPcTO5RroZJ76739sBWsNscWlM3dN9N3ZjfPPuWQ3655Kv1X/qY1MSd:/wSe+Zk78NR3dN5nPuHqaNrFd

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1324 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe

pid process

2960 Logo1_.exe
2684 537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1324 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1324	cmd.exe

pid	process
2960	Logo1_.exe
2684	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe

pid	process
1324	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe

description	ioc	process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
File created	C:\Windows\Logo1_.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exeLogo1_.exe

pid	process
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe
2960	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe

pid process

2684 537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe

pid	process
2684	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exenet.exeLogo1_.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2076 wrote to memory of 2864	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	net.exe
PID 2076 wrote to memory of 2864	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	net.exe
PID 2076 wrote to memory of 2864	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	net.exe
PID 2076 wrote to memory of 2864	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	net.exe
PID 2864 wrote to memory of 2192	2864	net.exe	net1.exe
PID 2864 wrote to memory of 2192	2864	net.exe	net1.exe
PID 2864 wrote to memory of 2192	2864	net.exe	net1.exe
PID 2864 wrote to memory of 2192	2864	net.exe	net1.exe
PID 2076 wrote to memory of 1324	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	cmd.exe
PID 2076 wrote to memory of 1324	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	cmd.exe
PID 2076 wrote to memory of 1324	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	cmd.exe
PID 2076 wrote to memory of 1324	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	cmd.exe
PID 2076 wrote to memory of 2960	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	Logo1_.exe
PID 2076 wrote to memory of 2960	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	Logo1_.exe
PID 2076 wrote to memory of 2960	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	Logo1_.exe
PID 2076 wrote to memory of 2960	2076	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe	Logo1_.exe
PID 2960 wrote to memory of 2576	2960	Logo1_.exe	net.exe
PID 2960 wrote to memory of 2576	2960	Logo1_.exe	net.exe
PID 2960 wrote to memory of 2576	2960	Logo1_.exe	net.exe
PID 2960 wrote to memory of 2576	2960	Logo1_.exe	net.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 1324 wrote to memory of 2684	1324	cmd.exe	537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
PID 2576 wrote to memory of 2688	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2688	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2688	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2688	2576	net.exe	net1.exe
PID 2960 wrote to memory of 2964	2960	Logo1_.exe	net.exe
PID 2960 wrote to memory of 2964	2960	Logo1_.exe	net.exe
PID 2960 wrote to memory of 2964	2960	Logo1_.exe	net.exe
PID 2960 wrote to memory of 2964	2960	Logo1_.exe	net.exe
PID 2964 wrote to memory of 2464	2964	net.exe	net1.exe
PID 2964 wrote to memory of 2464	2964	net.exe	net1.exe
PID 2964 wrote to memory of 2464	2964	net.exe	net1.exe
PID 2964 wrote to memory of 2464	2964	net.exe	net1.exe
PID 2960 wrote to memory of 1228	2960	Logo1_.exe	Explorer.EXE
PID 2960 wrote to memory of 1228	2960	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
"C:\Users\Admin\AppData\Local\Temp\537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2710.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe
"C:\Users\Admin\AppData\Local\Temp\537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2684

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2688

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2464

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
258KB

MD5
1cf9715a389ba4876cab7d395df4d645

SHA1
0a448c44716a1d819889dabbb4eb0300535a716f

SHA256
bac5d6a06de485f137512023b413935335ddb109b8c5ecc38972fcaa4a7de491

SHA512
c59f4a9f9a05c67c10a42ba3a33fa15106d844088ea38b598dfb6a75f2c031aaf6e0c63bc5c03fa5899da11872df2a04b8c8dc18073f101f49cc0fc3b82ac7be

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
478KB

MD5
3e2d3392a9d3ae3ed27661f81e853478

SHA1
fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

SHA256
09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

SHA512
27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2710.bat
Filesize
722B

MD5
e2a0c1d84705934bddc5ebb65e6b61ce

SHA1
d176641095df53b03a0e0c75ffdb0fc7e945d2d7

SHA256
c76835908b2ec93ec837249d2266e5bd9a44aaab37c284349adc556510bc281b

SHA512
6da3c3d04e5116efd7501ca82251b537bd26beaf03dd5df75d815f7429e2a746b9808495e5acd74f25144765e766b6b218d85c92ab0207b3106d95347a7f81f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\537d821ae20091bca9df3b89d52c5f4a5491f9e281d59fcfcdbfb6718d1af479.exe.exe
Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
030c9aac5dcb76c5a06bf0ac2cdecfb0

SHA1
18f137b0ad656c47efffbc845449b5e80294bfd2

SHA256
815990d99ef2e24393dfdaac82ed03ab38096386d327ae3a8f670c63e02dbf79

SHA512
4db5e2a3c0e3d70003437fd15eebe90bb4574450b600bcac0fb52842c646fe5c098912ad479cf3ec4a490c985ba837e37ed5bdeec5db2ca57b16360290e0cce5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
Filesize
9B

MD5
e7957b9f3d9556c996418169821a7993

SHA1
b7028de0f91d2e50a8d5f6d23613331a2784a142

SHA256
71a21a13d7822776d52d9a6146651dc9155db9f0bfbd978acf43d12dea2a8539

SHA512
72bc8552047095449fa4c3c21300183acfc7b33e6ab69c11435542e2862cb9e896bbfdedaeb97ec6edac8ed68220507a302d1ed2217624c97f6e9a83c0d3a285

Download Submit
memory/1228-27-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2076-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2076-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-30-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-3321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-4139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads