Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
Resource
win7-20240215-en
General
-
Target
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
-
Size
70KB
-
MD5
9b5e3afec7f6424af3b48ff46ff4e46d
-
SHA1
565d745139f60287cbf9bed567f38c11aa78ce3a
-
SHA256
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16
-
SHA512
15ae6f2a7b1c7b3b3777e0a4d1c3861e4c60287c2d357b528bb545451360842c26e15979a4892953a0e9f9a480c8f7c6510bd1be4b44f7c24843d56bb8ee6c7d
-
SSDEEP
1536:PFaYzMXqtGNttyUn01Q78a4Rwriw+d9bHrkT5gUHz7FxtJ:PFaY46tGNttyJQ7KRwrBkfkT5xHzD
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exebe068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exepid process 1888 Logo1_.exe 5288 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Security\BrowserCore\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File created C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe File created C:\Windows\Logo1_.exe be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exeLogo1_.exepid process 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe 1888 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 2072 wrote to memory of 4132 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe net.exe PID 2072 wrote to memory of 4132 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe net.exe PID 2072 wrote to memory of 4132 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe net.exe PID 4132 wrote to memory of 2448 4132 net.exe net1.exe PID 4132 wrote to memory of 2448 4132 net.exe net1.exe PID 4132 wrote to memory of 2448 4132 net.exe net1.exe PID 2072 wrote to memory of 2624 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe cmd.exe PID 2072 wrote to memory of 2624 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe cmd.exe PID 2072 wrote to memory of 2624 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe cmd.exe PID 2072 wrote to memory of 1888 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe Logo1_.exe PID 2072 wrote to memory of 1888 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe Logo1_.exe PID 2072 wrote to memory of 1888 2072 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe Logo1_.exe PID 1888 wrote to memory of 5024 1888 Logo1_.exe net.exe PID 1888 wrote to memory of 5024 1888 Logo1_.exe net.exe PID 1888 wrote to memory of 5024 1888 Logo1_.exe net.exe PID 5024 wrote to memory of 3228 5024 net.exe net1.exe PID 5024 wrote to memory of 3228 5024 net.exe net1.exe PID 5024 wrote to memory of 3228 5024 net.exe net1.exe PID 2624 wrote to memory of 5288 2624 cmd.exe be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe PID 2624 wrote to memory of 5288 2624 cmd.exe be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe PID 1888 wrote to memory of 3164 1888 Logo1_.exe net.exe PID 1888 wrote to memory of 3164 1888 Logo1_.exe net.exe PID 1888 wrote to memory of 3164 1888 Logo1_.exe net.exe PID 3164 wrote to memory of 3476 3164 net.exe net1.exe PID 3164 wrote to memory of 3476 3164 net.exe net1.exe PID 3164 wrote to memory of 3476 3164 net.exe net1.exe PID 1888 wrote to memory of 3500 1888 Logo1_.exe Explorer.EXE PID 1888 wrote to memory of 3500 1888 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe"C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a343F.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe"C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe"4⤵
- Executes dropped EXE
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WriteGet.exeFilesize
892KB
MD5fad6f914752e85a082681b82c2dcff8a
SHA1cbd7536c82d7084c4bb9b32ce289bbc56cfe696d
SHA2569cd390e355aa190334fe4744c37aeda54daee63ceb9bbbfa5c6717466929c9c1
SHA5124378b61cea43c829654a1fe8553af6cc7e1b64ad7e6dd3fe4f0e2f60f28cf617b174afa9157c0be9b6cdb1dcc25cf4937a93edfcd72966184af8aa6c38496bdd
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
643KB
MD5635e9422a0a86f5c7ac989802b0ac448
SHA13ea9cc1462b063639526a8d278b571f38b846d1d
SHA256a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f
SHA512857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133
-
C:\Users\Admin\AppData\Local\Temp\$$a343F.batFilesize
722B
MD54982eab065660d74beeecf4d26dc100a
SHA1231f8fffd4518bdad1e444f2baf53b024456001a
SHA256fa370f3a2c39e75b1785c632f4fa6434c5700856ab9219c4718345feb5fd16e5
SHA512afc1849e23609d08c55b9f71ddd340bf9db4d2e1fe1b6cd2d47c84901e3f566f712e2bc48bedfbf9f6bdaa3eb9bcdb6badd475dd36820a3d9b0be1cb68c6c520
-
C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe.exeFilesize
36KB
MD59f498971cbe636662f3d210747d619e1
SHA144b8e2732fa1e2f204fc70eaa1cb406616250085
SHA2568adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93
-
C:\Windows\Logo1_.exeFilesize
33KB
MD51f84b18db78866f74a67bd2659cabbdb
SHA1a939bce6428210b23131eaf06bc7b08a5cb971e4
SHA2563e05e2a6fc214496dd7e7200ea3b0375fb22b111e3e7bce4d4728c6b528b209a
SHA51221a24ce58d7e8555d3ac8fa48f8efe648215caf2d4692564a5015f241a8abd62492dda085d48630eac588602b9ef53bc939f633e2771a05562468545104d81e1
-
C:\Windows\system32\drivers\etc\hostsFilesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.iniFilesize
9B
MD5ef2876ec14bdb3dc085fc3af9311b015
SHA168b64b46b1ff0fdc9f009d8fffb8ee87c597fa56
SHA256ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c
SHA512c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f
-
memory/1888-20-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-2797-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-13-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-8656-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2072-12-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2072-0-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB