41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df

General

Target

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
Size

367KB
MD5

def4836b6232998a6986414348449b90
SHA1

812b170840100f737d26c0e7372383669286018b
SHA256

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df
SHA512

162e21adf04e30c30caaa2f216a0970ceeb66f80fb69e4e019264c8bb299450b848c225e84bdc9588f4563cfd422d8c5c9c96a6ad3759c481c000621c6e0f95e
SSDEEP

6144:s46tGdy1ZCH9L5d5ezLqIFQSDdABbSbIrx1L1l3ERF:s3N1ZCH9Eq+0BbSox1QF

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe

pid process

2692 Logo1_.exe
2236 41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2708 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2708	cmd.exe

pid	process
2692	Logo1_.exe
2236	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe

pid	process
2708	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
File created	C:\Windows\Logo1_.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exeLogo1_.exe

pid	process
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe

pid process

2236 41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe

pid	process
2236	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2920 wrote to memory of 2376	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	net.exe
PID 2920 wrote to memory of 2376	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	net.exe
PID 2920 wrote to memory of 2376	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	net.exe
PID 2920 wrote to memory of 2376	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	net.exe
PID 2376 wrote to memory of 3008	2376	net.exe	net1.exe
PID 2376 wrote to memory of 3008	2376	net.exe	net1.exe
PID 2376 wrote to memory of 3008	2376	net.exe	net1.exe
PID 2376 wrote to memory of 3008	2376	net.exe	net1.exe
PID 2920 wrote to memory of 2708	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	cmd.exe
PID 2920 wrote to memory of 2708	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	cmd.exe
PID 2920 wrote to memory of 2708	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	cmd.exe
PID 2920 wrote to memory of 2708	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	cmd.exe
PID 2920 wrote to memory of 2692	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	Logo1_.exe
PID 2920 wrote to memory of 2692	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	Logo1_.exe
PID 2920 wrote to memory of 2692	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	Logo1_.exe
PID 2920 wrote to memory of 2692	2920	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe	Logo1_.exe
PID 2692 wrote to memory of 2684	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2684	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2684	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2684	2692	Logo1_.exe	net.exe
PID 2684 wrote to memory of 2660	2684	net.exe	net1.exe
PID 2684 wrote to memory of 2660	2684	net.exe	net1.exe
PID 2684 wrote to memory of 2660	2684	net.exe	net1.exe
PID 2684 wrote to memory of 2660	2684	net.exe	net1.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2708 wrote to memory of 2236	2708	cmd.exe	41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
PID 2692 wrote to memory of 2980	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2980	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2980	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2980	2692	Logo1_.exe	net.exe
PID 2980 wrote to memory of 2516	2980	net.exe	net1.exe
PID 2980 wrote to memory of 2516	2980	net.exe	net1.exe
PID 2980 wrote to memory of 2516	2980	net.exe	net1.exe
PID 2980 wrote to memory of 2516	2980	net.exe	net1.exe
PID 2692 wrote to memory of 1204	2692	Logo1_.exe	Explorer.EXE
PID 2692 wrote to memory of 1204	2692	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
"C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a31DA.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe
"C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2660

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
e5f3998bc1c22dc6c2154324ab8b8a88

SHA1
8acf8da53c10a9fab6b724f7a68d3bde5e604cfa

SHA256
81f9b42615679d706c582a9e907676b579a085efaf344b1b5bf84049863f1ae3

SHA512
a8ba3a323a02852e054eacce19bb948b4a7a5f162d31e65ff051b4e6f616b4876dd90363dca963b3cb17f9cccf7db8210b7c8782bfddd6eaa561db3727275238

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
5a4669bf1382e7b9672b287ef6a5d990

SHA1
582120da714e9bd8783dcb8fa5218260f35e7399

SHA256
4b4df892d26fed910b2a4556a21b9da130c9af659b79b0411a30fe6c90b74820

SHA512
c9b970be0d22e5c8b94bcc6569fbf8570b924ce7dfe1a36b0cc5ee221448af4a1b6016a8891c1bd421040d3cdf8b3b79dae693b4003fac90354f2bea5361b1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a31DA.bat

Filesize
722B

MD5
fc0f6c4ccc916b86bcb73e178fe44ea9

SHA1
660c46cadbfaeb9178a69ef4e734627d53bc9791

SHA256
df273a903df5bb2088a4e8b214460d75e718d3601fc59801dbdd560e4dc65991

SHA512
0ace85d7ac34b8f4584b33272eae0b0e44395c1bd332f96119a6cb45861ef8bc25000265692ff8399e691233c0cd7436cf86b95977fdb983784ab07958ef459b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41ad149f60dd7bae69148e3b40baffb0fceb8c8e2104f64660969a2b63f380df.exe.exe

Filesize
333KB

MD5
e5b38b9828293047f0352f7a38a22fb1

SHA1
681311628ac93f84371b2a069fa220dc89a3f672

SHA256
b85aeeaede189d9f56c843281a492cd8ada329f0b5b8b03d5a813eba3a290b61

SHA512
ed3e369451b938a556fb561afd6fd3ff5cfc93e386b035014fd4824a808f1e92e6d095ab33c340e6cd64ee00122fbd882abbcf0e15f3ffdb29a4fb9febe42920

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
2153cf354da7c307172859614f3a9c3b

SHA1
2a629da1c13602d6e88d71f9cfb19b7905c73516

SHA256
211a8f8795cc63347bc74cdf2769606e087f73dc885dcde698c5c332be261d75

SHA512
d4f19b8eb6933334d0267b7ab71066bc81af6b52302e70ed3ac7fe0d8164b4cbe1020f2a7b844031fc326a07e9e155c4b3754a560996c585d31ea28ed9c644ac

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1204-29-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2692-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-3307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-4132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads