fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa

General

Target

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
Size

497KB
MD5

05380234f89e59b6d91e27ed7fcb06a2
SHA1

78edcf8422e57ea68f9b76fa23c09d9ed4f6942f
SHA256

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa
SHA512

f3430e6982ce5012bcab5d9bc5ced35cb9cdf865d2ef027072f36abf94d8d40829aa764ebdb8d29f8819d01248f114f6ce9d3e1444250b1b88f469d2057a4abf
SSDEEP

12288:Q+azbvb1gL5pRTcAkS/3hzN8qE43fm78V:QBzb+5jcAkSYqyE

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3064 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exefb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe

pid process

2564 Logo1_.exe
2676 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

3064 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3064	cmd.exe

pid	process
2564	Logo1_.exe
2676	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe

pid	process
3064	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
File created	C:\Windows\Logo1_.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exeLogo1_.exe

pid	process
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exenet.exeLogo1_.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2320 wrote to memory of 2376	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 2320 wrote to memory of 2376	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 2320 wrote to memory of 2376	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 2320 wrote to memory of 2376	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 2376 wrote to memory of 1780	2376	net.exe	net1.exe
PID 2376 wrote to memory of 1780	2376	net.exe	net1.exe
PID 2376 wrote to memory of 1780	2376	net.exe	net1.exe
PID 2376 wrote to memory of 1780	2376	net.exe	net1.exe
PID 2320 wrote to memory of 3064	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 2320 wrote to memory of 3064	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 2320 wrote to memory of 3064	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 2320 wrote to memory of 3064	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 2320 wrote to memory of 2564	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 2320 wrote to memory of 2564	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 2320 wrote to memory of 2564	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 2320 wrote to memory of 2564	2320	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 2564 wrote to memory of 2644	2564	Logo1_.exe	net.exe
PID 2564 wrote to memory of 2644	2564	Logo1_.exe	net.exe
PID 2564 wrote to memory of 2644	2564	Logo1_.exe	net.exe
PID 2564 wrote to memory of 2644	2564	Logo1_.exe	net.exe
PID 3064 wrote to memory of 2676	3064	cmd.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
PID 3064 wrote to memory of 2676	3064	cmd.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
PID 3064 wrote to memory of 2676	3064	cmd.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
PID 3064 wrote to memory of 2676	3064	cmd.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
PID 2644 wrote to memory of 2748	2644	net.exe	net1.exe
PID 2644 wrote to memory of 2748	2644	net.exe	net1.exe
PID 2644 wrote to memory of 2748	2644	net.exe	net1.exe
PID 2644 wrote to memory of 2748	2644	net.exe	net1.exe
PID 2564 wrote to memory of 3008	2564	Logo1_.exe	net.exe
PID 2564 wrote to memory of 3008	2564	Logo1_.exe	net.exe
PID 2564 wrote to memory of 3008	2564	Logo1_.exe	net.exe
PID 2564 wrote to memory of 3008	2564	Logo1_.exe	net.exe
PID 3008 wrote to memory of 1864	3008	net.exe	net1.exe
PID 3008 wrote to memory of 1864	3008	net.exe	net1.exe
PID 3008 wrote to memory of 1864	3008	net.exe	net1.exe
PID 3008 wrote to memory of 1864	3008	net.exe	net1.exe
PID 2564 wrote to memory of 1232	2564	Logo1_.exe	Explorer.EXE
PID 2564 wrote to memory of 1232	2564	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
"C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a18DE.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
"C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"
4⤵
- Executes dropped EXE
PID:2676

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2748

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1864

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
264KB

MD5
04d1e854f97e7f347f7dcdb3cb9adc4e

SHA1
7727eedbe1fcce30bd5e81abd19eb72ef446d38e

SHA256
73e08206ac1e2dc53a2c25a4c47c8a24d316db3ac7c48a5b92ee882557549bc4

SHA512
85c0e6392aa0830d5f601a745b92bc8857d19c4cc9845e7eb258fef79aa5f304c5e6dc0ba108b8d72cf665ec02260473e2428cf41a8a342a7b1faf83f2677b9c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
484KB

MD5
41d5bd106a62b9a38b1c76df058c795d

SHA1
f4d66b06c910103c30e24010f380d2d98bd49cab

SHA256
a3d71d07d47ca777c1976260894fa8f618a7dc9e5626150b578dd01f722d522f

SHA512
46326985ebc5f47fe1542b04b5d78ef58b9fbf3ae7e8f08346b26dbc767eef6a46cebb5d27acc08cb7ce280e814e31032168566d2c2c75f0e0a54745ab976f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a18DE.bat
Filesize
722B

MD5
60cc5a6ce5b0ead087b0bf8de6841874

SHA1
0b0eda9116c7e04cdf01132251b99765e4a91415

SHA256
1047e13b9341a86d9b33e1047b5db7722550125634c968fadf7d2b0e0e24d728

SHA512
bc6bb874a5737b140bf5ded86329f3a52aba5a44f28bc33f5cd19b2f1cdfe51ea0bb2cd6950635b1b5874942508d4fe928cf11e602d25f1304cf7c3182aec5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe
Filesize
39KB

MD5
2e37e017a3b74e974e64745682b0d9ff

SHA1
9cb58a2c621331ee34fb433706db05a3d9953558

SHA256
ab1bf4f80870eb86bfc589bf20f514ac3146b4f8e32e5e3f85085952ae448c1a

SHA512
9d3be56ded87fabffa7ac2ea39401e776f6723235be4e6d3a7031a77545e0dc38d2a0ca75f8ea689e0ab7885307410bb7e38b16a2a87021b554f8c687b526ece

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
Filesize
9B

MD5
304501c003da3bc5756aa53a757c30cc

SHA1
94dfcea0ef17f89b3a60a85a07edb4c00170cc1c

SHA256
9f4b03cbd52378f329bfc7088f8242bbc1a0a2754bc2f8a40e3b74e0dedecd6e

SHA512
78cd3c2cb4cb66e41d8947e1231256c2043d71c77f97e92915e938a6c1d9a8c003512027d98bc71bf582875d269e5fbe6e134f57b25f5f79fe16f9a412387dc8

Download Submit
memory/1232-27-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2320-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2320-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-3318-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2564-4141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads