16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede

General

Target

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
Size

963KB
MD5

ad550ecc833880ec939711174909e484
SHA1

e345af1d66acaab2b879643f5711d6923d234621
SHA256

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede
SHA512

00e9c6e1e47b5d87a002e7a008c7187b3ef53aebfc677cfffc06c8bd783de70e8ef9a6c9411cdb885a5c76c8ce4af53a00ce81cd2b711714e037918b98cdb32f
SSDEEP

12288:O+ayRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:OBbBpDRmi78gkPXlyo0G/jr

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2600 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

pid process

2616 Logo1_.exe
2428 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2600 cmd.exe
2600 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2600	cmd.exe

pid	process
2616	Logo1_.exe
2428	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

pid	process
2600	cmd.exe
2600	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
File created	C:\Windows\Logo1_.exe	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exeLogo1_.exe

pid	process
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

pid process

2428 16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

pid	process
2428	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

description	pid	process
Token: SeRestorePrivilege	2428	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
Token: 35	2428	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1908 wrote to memory of 2052	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	net.exe
PID 1908 wrote to memory of 2052	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	net.exe
PID 1908 wrote to memory of 2052	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	net.exe
PID 1908 wrote to memory of 2052	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	net.exe
PID 2052 wrote to memory of 2476	2052	net.exe	net1.exe
PID 2052 wrote to memory of 2476	2052	net.exe	net1.exe
PID 2052 wrote to memory of 2476	2052	net.exe	net1.exe
PID 2052 wrote to memory of 2476	2052	net.exe	net1.exe
PID 1908 wrote to memory of 2600	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	cmd.exe
PID 1908 wrote to memory of 2600	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	cmd.exe
PID 1908 wrote to memory of 2600	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	cmd.exe
PID 1908 wrote to memory of 2600	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	cmd.exe
PID 1908 wrote to memory of 2616	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	Logo1_.exe
PID 1908 wrote to memory of 2616	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	Logo1_.exe
PID 1908 wrote to memory of 2616	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	Logo1_.exe
PID 1908 wrote to memory of 2616	1908	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe	Logo1_.exe
PID 2616 wrote to memory of 2528	2616	Logo1_.exe	net.exe
PID 2616 wrote to memory of 2528	2616	Logo1_.exe	net.exe
PID 2616 wrote to memory of 2528	2616	Logo1_.exe	net.exe
PID 2616 wrote to memory of 2528	2616	Logo1_.exe	net.exe
PID 2528 wrote to memory of 1584	2528	net.exe	net1.exe
PID 2528 wrote to memory of 1584	2528	net.exe	net1.exe
PID 2528 wrote to memory of 1584	2528	net.exe	net1.exe
PID 2528 wrote to memory of 1584	2528	net.exe	net1.exe
PID 2600 wrote to memory of 2428	2600	cmd.exe	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
PID 2600 wrote to memory of 2428	2600	cmd.exe	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
PID 2600 wrote to memory of 2428	2600	cmd.exe	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
PID 2600 wrote to memory of 2428	2600	cmd.exe	16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
PID 2616 wrote to memory of 1748	2616	Logo1_.exe	net.exe
PID 2616 wrote to memory of 1748	2616	Logo1_.exe	net.exe
PID 2616 wrote to memory of 1748	2616	Logo1_.exe	net.exe
PID 2616 wrote to memory of 1748	2616	Logo1_.exe	net.exe
PID 1748 wrote to memory of 2508	1748	net.exe	net1.exe
PID 1748 wrote to memory of 2508	1748	net.exe	net1.exe
PID 1748 wrote to memory of 2508	1748	net.exe	net1.exe
PID 1748 wrote to memory of 2508	1748	net.exe	net1.exe
PID 2616 wrote to memory of 1192	2616	Logo1_.exe	Explorer.EXE
PID 2616 wrote to memory of 1192	2616	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
"C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA296.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe
"C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1584

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2508

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
258KB

MD5
9ac10f2289f81d00cb5315e30a25967d

SHA1
43f3ec8b12b8ef26c5e0151a50e708edd8a3e979

SHA256
a978211529b28a3b66408c32636b82ef4405121d57e90a911c60f3810be3c0cc

SHA512
211d2c4d98509e4b0df64c0b31331431486886ae40c106ca1af496a2573fcfce3737d3574f6f41e39b02cf35b67859c14e46d58b30cf59062f8b68ec76dc1a77

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
478KB

MD5
f01e1e0718ca3110b117e544489e3839

SHA1
6c19ce81349add991c3a88926d586b3de6ff9548

SHA256
b044da00ae636042dc22870432b28488014098b7e01350031e82a361d45b588d

SHA512
ee9a34b33e30eed3ef7676c7c86c88f748886527fe61d2133a8f3365d11848de66b1c118ea4d3a05f97363d6dc829c4490e839e20a16847a651cc915b47b5a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA296.bat
Filesize
722B

MD5
a1db5addf870023b9ef98833b689d05c

SHA1
ffc7268e0401cd69f4f172d9e4e59fbff49d4eca

SHA256
c72a8a302d4c07bf2721e6e8b0d724584159ce3be87f8eb4080d839fde99da61

SHA512
07aaaf7703f7f3ac74cf40cdbe710db2dc14a0cc05a947e41ffc457c180f9fb6271bb7e2e31736a592ffe8e0a41947af64c71dbaea1780b408fce7415aa4df82

Download Submit
C:\Users\Admin\AppData\Local\Temp\16900af61edd05e430e87cedd22620a59ee6c1cb41ee668e83731e2d20474ede.exe.exe
Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
beaa56a0e4764dd95329202a0a92e326

SHA1
1e18f4051244e4aa8eabbddc7001ffcdc2adc055

SHA256
02424a4ca6ac65d66c89b79493d30a0c54c46da6ec225ef5ae1c724913451a08

SHA512
fc65d6da1e1f112abbb37c5227823980d644b6436cec5d44a75de9e97ba9e709010fc6edb064c592ce931412612010c7254bc5eb6c4aec004510786525276e25

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1192-30-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1908-16-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/1908-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1908-17-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/1908-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-1837-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-3810-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-4082-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads