e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f

General

Target

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
Size

717KB
MD5

fdb01b0966f22705893fe636811b03c1
SHA1

ed69e85e740567ef4b71a6464f69c7c830002e8d
SHA256

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f
SHA512

d7f62421d1c42ac7e51545f9de862fae4c9f6e4ea285abd0cd0a934b1a9991218d6d6911dee783e1e6bb050b1a19d8735d013ee055ffe7d31c79552beb444f5e
SSDEEP

12288:O+aJfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:OBpLOS2opPIXV

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Logo1_.exee6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exeExplorer.EXE

pid process

2648 Logo1_.exe
2860 e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
1080 Explorer.EXE
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
2620 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2620	cmd.exe

pid	process
2648	Logo1_.exe
2860	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
1080	Explorer.EXE

pid	process
2620	cmd.exe
2620	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exee6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
File created	C:\Windows\Logo1_.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exeLogo1_.exe

pid	process
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exenet.exeLogo1_.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2352 wrote to memory of 2640	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 2352 wrote to memory of 2640	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 2352 wrote to memory of 2640	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 2352 wrote to memory of 2640	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 2640 wrote to memory of 2068	2640	net.exe	net1.exe
PID 2640 wrote to memory of 2068	2640	net.exe	net1.exe
PID 2640 wrote to memory of 2068	2640	net.exe	net1.exe
PID 2640 wrote to memory of 2068	2640	net.exe	net1.exe
PID 2352 wrote to memory of 2620	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 2352 wrote to memory of 2620	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 2352 wrote to memory of 2620	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 2352 wrote to memory of 2620	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 2352 wrote to memory of 2648	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 2352 wrote to memory of 2648	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 2352 wrote to memory of 2648	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 2352 wrote to memory of 2648	2352	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 2648 wrote to memory of 2720	2648	Logo1_.exe	net.exe
PID 2648 wrote to memory of 2720	2648	Logo1_.exe	net.exe
PID 2648 wrote to memory of 2720	2648	Logo1_.exe	net.exe
PID 2648 wrote to memory of 2720	2648	Logo1_.exe	net.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
PID 2620 wrote to memory of 2860	2620	cmd.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
PID 2720 wrote to memory of 2512	2720	net.exe	net1.exe
PID 2720 wrote to memory of 2512	2720	net.exe	net1.exe
PID 2720 wrote to memory of 2512	2720	net.exe	net1.exe
PID 2720 wrote to memory of 2512	2720	net.exe	net1.exe
PID 2648 wrote to memory of 2480	2648	Logo1_.exe	net.exe
PID 2648 wrote to memory of 2480	2648	Logo1_.exe	net.exe
PID 2648 wrote to memory of 2480	2648	Logo1_.exe	net.exe
PID 2648 wrote to memory of 2480	2648	Logo1_.exe	net.exe
PID 2480 wrote to memory of 2444	2480	net.exe	net1.exe
PID 2480 wrote to memory of 2444	2480	net.exe	net1.exe
PID 2480 wrote to memory of 2444	2480	net.exe	net1.exe
PID 2480 wrote to memory of 2444	2480	net.exe	net1.exe
PID 2648 wrote to memory of 1080	2648	Logo1_.exe	Explorer.EXE
PID 2648 wrote to memory of 1080	2648	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
"C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a16DB.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
"C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe"
4⤵
- Executes dropped EXE
PID:2860

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2512

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2444

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
258KB

MD5
9ac10f2289f81d00cb5315e30a25967d

SHA1
43f3ec8b12b8ef26c5e0151a50e708edd8a3e979

SHA256
a978211529b28a3b66408c32636b82ef4405121d57e90a911c60f3810be3c0cc

SHA512
211d2c4d98509e4b0df64c0b31331431486886ae40c106ca1af496a2573fcfce3737d3574f6f41e39b02cf35b67859c14e46d58b30cf59062f8b68ec76dc1a77

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
478KB

MD5
f01e1e0718ca3110b117e544489e3839

SHA1
6c19ce81349add991c3a88926d586b3de6ff9548

SHA256
b044da00ae636042dc22870432b28488014098b7e01350031e82a361d45b588d

SHA512
ee9a34b33e30eed3ef7676c7c86c88f748886527fe61d2133a8f3365d11848de66b1c118ea4d3a05f97363d6dc829c4490e839e20a16847a651cc915b47b5a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a16DB.bat
Filesize
722B

MD5
39fbef70068dbf42a393676e78844b84

SHA1
e54456f082a3c14e9b6c9a32ef3d5101b6ff5297

SHA256
76840bd4c3e328a35248f1470ae4e128bc8d2c2ff94f5d63bf3a83f2fd882c6e

SHA512
50396ab917b66da91ccd6221e9633da2be0d9383f8720e084ff439172d49aafadf446accde246c677752bf98c44724e2e3addbff2768c823f4acf45dd0ea3cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe.exe
Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
beaa56a0e4764dd95329202a0a92e326

SHA1
1e18f4051244e4aa8eabbddc7001ffcdc2adc055

SHA256
02424a4ca6ac65d66c89b79493d30a0c54c46da6ec225ef5ae1c724913451a08

SHA512
fc65d6da1e1f112abbb37c5227823980d644b6436cec5d44a75de9e97ba9e709010fc6edb064c592ce931412612010c7254bc5eb6c4aec004510786525276e25

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1080-29-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2352-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-3319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-4143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads