4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9

General

Target

4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
Size

2.8MB
MD5

1e92196cd59fa7135fa0db2312b10cf4
SHA1

c8817e82e3dd7abefd79e688b1069155deacfb1c
SHA256

4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9
SHA512

29e16f080ca122eb641bf1744ba7cb14ea3e40a0f298747cb35198c01f96573721610cd92130aaf6aeaa11a09605a53275b389c7dfcb44c99fbb3f9632b6cccf
SSDEEP

49152:EBj6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:Ecd1XdhBiiMa7

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2636 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe

pid process

2688 Logo1_.exe
2524 4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2636 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2636	cmd.exe

pid	process
2688	Logo1_.exe
2524	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe

pid	process
2636	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
File created	C:\Windows\Logo1_.exe	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exeLogo1_.exe

pid	process
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exenet.exeLogo1_.exenet.exenet.exe

description	pid	process	target process
PID 2492 wrote to memory of 3008	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	net.exe
PID 2492 wrote to memory of 3008	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	net.exe
PID 2492 wrote to memory of 3008	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	net.exe
PID 2492 wrote to memory of 3008	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	net.exe
PID 3008 wrote to memory of 2892	3008	net.exe	net1.exe
PID 3008 wrote to memory of 2892	3008	net.exe	net1.exe
PID 3008 wrote to memory of 2892	3008	net.exe	net1.exe
PID 3008 wrote to memory of 2892	3008	net.exe	net1.exe
PID 2492 wrote to memory of 2636	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	cmd.exe
PID 2492 wrote to memory of 2636	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	cmd.exe
PID 2492 wrote to memory of 2636	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	cmd.exe
PID 2492 wrote to memory of 2636	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	cmd.exe
PID 2492 wrote to memory of 2688	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	Logo1_.exe
PID 2492 wrote to memory of 2688	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	Logo1_.exe
PID 2492 wrote to memory of 2688	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	Logo1_.exe
PID 2492 wrote to memory of 2688	2492	4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe	Logo1_.exe
PID 2688 wrote to memory of 2416	2688	Logo1_.exe	net.exe
PID 2688 wrote to memory of 2416	2688	Logo1_.exe	net.exe
PID 2688 wrote to memory of 2416	2688	Logo1_.exe	net.exe
PID 2688 wrote to memory of 2416	2688	Logo1_.exe	net.exe
PID 2416 wrote to memory of 2444	2416	net.exe	net1.exe
PID 2416 wrote to memory of 2444	2416	net.exe	net1.exe
PID 2416 wrote to memory of 2444	2416	net.exe	net1.exe
PID 2416 wrote to memory of 2444	2416	net.exe	net1.exe
PID 2688 wrote to memory of 2712	2688	Logo1_.exe	net.exe
PID 2688 wrote to memory of 2712	2688	Logo1_.exe	net.exe
PID 2688 wrote to memory of 2712	2688	Logo1_.exe	net.exe
PID 2688 wrote to memory of 2712	2688	Logo1_.exe	net.exe
PID 2712 wrote to memory of 2572	2712	net.exe	net1.exe
PID 2712 wrote to memory of 2572	2712	net.exe	net1.exe
PID 2712 wrote to memory of 2572	2712	net.exe	net1.exe
PID 2712 wrote to memory of 2572	2712	net.exe	net1.exe
PID 2688 wrote to memory of 1192	2688	Logo1_.exe	Explorer.EXE
PID 2688 wrote to memory of 1192	2688	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
"C:\Users\Admin\AppData\Local\Temp\4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7DF6.bat
3⤵
- Deletes itself
- Loads dropped DLL
PID:2636

C:\Users\Admin\AppData\Local\Temp\4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe
"C:\Users\Admin\AppData\Local\Temp\4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe"
4⤵
- Executes dropped EXE
PID:2524

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2444

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2572

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
258KB

MD5
ce1ebc3c0c328e142eab47b6635f807c

SHA1
5576885f6e7f2abe82df076a2d27af32eebb4c0a

SHA256
58eb636f0448ed27f1c1c30503a7888e2913dec4b408e22e46f7edf574375870

SHA512
f3a1be84df1ea85519589ef8b17738bf19202c444992b0d18f802d4e1ca57224a0b2e57371635a21c4cd967cb112eea9c338dbe07eb08d1c44316c5c2379b407

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
478KB

MD5
3e2d3392a9d3ae3ed27661f81e853478

SHA1
fa8c023a3bff75e89ed39f5d4bfb5693d818ca8b

SHA256
09da8a31b7f420b9e4ed6d02e698bcc12a4f3efa46a53d1492a241a5784d44a8

SHA512
27652a29d728b92995b8ce46b150cd14baf5b65789591085ef3fa959dbc99efaa071b7a014ccaabeb6e84cdea642769dc98a7a1684afcda9be82dbb0b8d3fa17

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7DF6.bat
Filesize
722B

MD5
3404d786b44b8b6a21d4f76bb6eb8deb

SHA1
902ed49dd3700d322b12058e3398b6c7bb79850a

SHA256
b598717a130b43636160ef84411c824dd96013d75eecb9cfce7bba91134ad510

SHA512
8632a361ff8dce295b376c7f8e31a415a2c471b5737ffa02baad0ee81c8deba05d3df2e07aaf5f9ef02f3b6b9915121a60114d6492aa057add6dc48964aa74fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c43208cc99b4c2996e944c5c5f242f664ce2518e7210ad0c1be6f92cf8bf1e9.exe.exe
Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
05ebb4f9455d52366f013e63d099d41f

SHA1
f3d867260198c5be6f0f1e796d517e8ad75b2173

SHA256
05362547df367881bc8a8956b74adf5e7d0c641ad3a6defce8751787503af3f3

SHA512
573fea3c1964ce511986b959789ec3e170ba5d668cab0c201e6ac27c6d23b04250910871b2fd22ad6558d20a2aa2da0380cf9594aa8a33d1315f364a8d697a2f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1192-27-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2492-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-2015-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-4079-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads