d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf

General

Target

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
Size

963KB
MD5

1f7a03d36e0daf89dfda24df933d90df
SHA1

e3c7dd7e4cffbff39728e88d49c884b3545fe530
SHA256

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf
SHA512

b7084148680cf3a1c6aa7c59e51fd35dfd0b84646ff78ebf3b31aeeae49482579bc729081268e218c60442d393204bc85e53ad40a25000f93c403b8ea0252342
SSDEEP

12288:m+aM4RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:mBWBpDRmi78gkPXlyo0G/jr

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2536 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exed7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

pid process

2524 Logo1_.exe
2528 d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2536 cmd.exe
2536 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2536	cmd.exe

pid	process
2524	Logo1_.exe
2528	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

pid	process
2536	cmd.exe
2536	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
File created	C:\Windows\Logo1_.exe	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exeLogo1_.exe

pid	process
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

pid process

2528 d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

pid	process
2528	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

description	pid	process
Token: SeRestorePrivilege	2528	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
Token: 35	2528	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1812 wrote to memory of 2072	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	net.exe
PID 1812 wrote to memory of 2072	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	net.exe
PID 1812 wrote to memory of 2072	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	net.exe
PID 1812 wrote to memory of 2072	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	net.exe
PID 2072 wrote to memory of 3060	2072	net.exe	net1.exe
PID 2072 wrote to memory of 3060	2072	net.exe	net1.exe
PID 2072 wrote to memory of 3060	2072	net.exe	net1.exe
PID 2072 wrote to memory of 3060	2072	net.exe	net1.exe
PID 1812 wrote to memory of 2536	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	cmd.exe
PID 1812 wrote to memory of 2536	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	cmd.exe
PID 1812 wrote to memory of 2536	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	cmd.exe
PID 1812 wrote to memory of 2536	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	cmd.exe
PID 1812 wrote to memory of 2524	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	Logo1_.exe
PID 1812 wrote to memory of 2524	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	Logo1_.exe
PID 1812 wrote to memory of 2524	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	Logo1_.exe
PID 1812 wrote to memory of 2524	1812	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe	Logo1_.exe
PID 2524 wrote to memory of 2428	2524	Logo1_.exe	net.exe
PID 2524 wrote to memory of 2428	2524	Logo1_.exe	net.exe
PID 2524 wrote to memory of 2428	2524	Logo1_.exe	net.exe
PID 2524 wrote to memory of 2428	2524	Logo1_.exe	net.exe
PID 2428 wrote to memory of 2564	2428	net.exe	net1.exe
PID 2428 wrote to memory of 2564	2428	net.exe	net1.exe
PID 2428 wrote to memory of 2564	2428	net.exe	net1.exe
PID 2428 wrote to memory of 2564	2428	net.exe	net1.exe
PID 2536 wrote to memory of 2528	2536	cmd.exe	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
PID 2536 wrote to memory of 2528	2536	cmd.exe	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
PID 2536 wrote to memory of 2528	2536	cmd.exe	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
PID 2536 wrote to memory of 2528	2536	cmd.exe	d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
PID 2524 wrote to memory of 2404	2524	Logo1_.exe	net.exe
PID 2524 wrote to memory of 2404	2524	Logo1_.exe	net.exe
PID 2524 wrote to memory of 2404	2524	Logo1_.exe	net.exe
PID 2524 wrote to memory of 2404	2524	Logo1_.exe	net.exe
PID 2404 wrote to memory of 2512	2404	net.exe	net1.exe
PID 2404 wrote to memory of 2512	2404	net.exe	net1.exe
PID 2404 wrote to memory of 2512	2404	net.exe	net1.exe
PID 2404 wrote to memory of 2512	2404	net.exe	net1.exe
PID 2524 wrote to memory of 1212	2524	Logo1_.exe	Explorer.EXE
PID 2524 wrote to memory of 1212	2524	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
"C:\Users\Admin\AppData\Local\Temp\d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2D57.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
"C:\Users\Admin\AppData\Local\Temp\d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2564

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2512

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
478KB

MD5
3e2d3392a9d3ae3ed27661f81e853478

SHA1
fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

SHA256
09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

SHA512
27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2D57.bat
Filesize
722B

MD5
ae0530799b4886f5d687e67310ab0855

SHA1
8bc9a0299b493e41f9b5eab9d1738cf56a26bb7c

SHA256
8e1f8499f6f18c133103c1bf815efc98719936c1c8cc47c35733ef0b2b930a7e

SHA512
b15acaaa1edad770a9ddbf9f2038defee5b3499aaf72d5b30575a693a62c14af552356ed8bc1d62aaa1f44482c164a221c2404d5b308d53af854e82fe90ef06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7b0c77dbdefc86699a442daa9fb76de01756eeeecad0fb0ce60f187a47eb1cf.exe
Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
3659e75ad8a2bdeef5f1d74aae41c2af

SHA1
95b2fa7bc2afbc1f412fc4285dbb6a15cc658a8a

SHA256
dbb4fdb10597cfb189203f72e75a2f2769a6960ed1acc1baa901742a344ae52d

SHA512
f19bbad48af80437f083d21cf89839bee9d30d50162df60a0d7c8205b646739332e55371f5d6c005f69681e41f00df936942c06f94f1a38c25084e438cac61e2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
Filesize
9B

MD5
e7957b9f3d9556c996418169821a7993

SHA1
b7028de0f91d2e50a8d5f6d23613331a2784a142

SHA256
71a21a13d7822776d52d9a6146651dc9155db9f0bfbd978acf43d12dea2a8539

SHA512
72bc8552047095449fa4c3c21300183acfc7b33e6ab69c11435542e2862cb9e896bbfdedaeb97ec6edac8ed68220507a302d1ed2217624c97f6e9a83c0d3a285

Download Submit
memory/1212-30-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1812-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-17-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1812-12-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1812-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-3320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-4142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads