Resubmissions
03-06-2024 05:32
240603-f8hxzaed72Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe
Resource
win7-20240508-en
General
-
Target
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe
-
Size
368KB
-
MD5
6d857a11a566aeb55a9f14ee68d12a7b
-
SHA1
0cb7364b97ef764c1d888b547eb7815ff8a80f85
-
SHA256
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc
-
SHA512
e379dc85c39c84760c951cb13bf1f663220870eac87369854eb4983cfc89abf95fab6d0c9cd56f33c7bc6609b981f854b9a77a35cd8d4b8fbc806f62c2b99d1f
-
SSDEEP
6144:n1qe1ISTzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:n1quIwU66b5zhVymA/XSRh
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exepid process 4388 Logo1_.exe 1120 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\5DE348A7-D1AB-4F5E-935D-8A3992E6EB3E\root\vfs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe File created C:\Windows\Logo1_.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exeLogo1_.exepid process 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe 4388 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exenet.exeLogo1_.execmd.exenet.exenet.exedescription pid process target process PID 3748 wrote to memory of 4444 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 3748 wrote to memory of 4444 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 3748 wrote to memory of 4444 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 4444 wrote to memory of 2448 4444 net.exe net1.exe PID 4444 wrote to memory of 2448 4444 net.exe net1.exe PID 4444 wrote to memory of 2448 4444 net.exe net1.exe PID 3748 wrote to memory of 1940 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 3748 wrote to memory of 1940 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 3748 wrote to memory of 1940 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 3748 wrote to memory of 4388 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 3748 wrote to memory of 4388 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 3748 wrote to memory of 4388 3748 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 4388 wrote to memory of 1272 4388 Logo1_.exe net.exe PID 4388 wrote to memory of 1272 4388 Logo1_.exe net.exe PID 4388 wrote to memory of 1272 4388 Logo1_.exe net.exe PID 1940 wrote to memory of 1120 1940 cmd.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe PID 1940 wrote to memory of 1120 1940 cmd.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe PID 1272 wrote to memory of 60 1272 net.exe net1.exe PID 1272 wrote to memory of 60 1272 net.exe net1.exe PID 1272 wrote to memory of 60 1272 net.exe net1.exe PID 4388 wrote to memory of 4384 4388 Logo1_.exe net.exe PID 4388 wrote to memory of 4384 4388 Logo1_.exe net.exe PID 4388 wrote to memory of 4384 4388 Logo1_.exe net.exe PID 4384 wrote to memory of 4448 4384 net.exe net1.exe PID 4384 wrote to memory of 4448 4384 net.exe net1.exe PID 4384 wrote to memory of 4448 4384 net.exe net1.exe PID 4388 wrote to memory of 3440 4388 Logo1_.exe Explorer.EXE PID 4388 wrote to memory of 3440 4388 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3FC8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"4⤵
- Executes dropped EXE
PID:1120
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:60
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4448
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD5447c2cc1d1c31d3beda8c37c6ea8fb29
SHA19aee3aeb7b734fcbce6483f0c127897a34229a21
SHA2569f1cf772de334ec803a4d6da70c9ae0a2b5028f75ee2e3cdc52a10b09ad1b854
SHA51231cb45cbeb908247e1de671de35363e032cd40276d564bed3fd305fd8c87c9f4476bdd39563978cb1854e28f180499654d5ab5b98aa6c6762674b0df8ac4f05d
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD59363a720e098b38389b25a7b18cfbcdd
SHA17b5e835b22262b47e6042e7aadecc67dac05f7db
SHA25610579b661dade8697f252204f241952eb2029ea6978165f9336fd60a72b3205e
SHA512564b873358ebe4d4d194b924e9934cb5c1666df901db2556e8cbab8276f8c4380a5bee157cc8eb2063fe0f48a1d0dc1cf339d3d3040d764c974e1c46b0870f88
-
Filesize
722B
MD5657cb6f79835d370b8b19696f90e5163
SHA1bc2c363331b2c5439a121059f7bdbe6ac36fabca
SHA256d31ef7d0d5e0450bcf6a3719c2305f5255441ed5e4fd42c1ce0e8291657ef873
SHA5127824ce2bdfc36f615001cbb6a07dd09b16b7adbfe4d424f4af95d68cb9444b9675d533898c95b97c272fb47b9a67961b18d4bb0a09863fc11732e0b763b7ec43
-
C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe.exe
Filesize335KB
MD540ac62c087648ccc2c58dae066d34c98
SHA10e87efb6ddfe59e534ea9e829cad35be8563e5f7
SHA256482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916
SHA5120c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f
-
Filesize
33KB
MD5005782dec3941236334d871c5153fbf3
SHA1c973a6811e47002ccb7c48911cf58d9b0f15c990
SHA256def563a72f35ff1bd5d55bb4d8db6b098975b14f9f0a1e6c099415dda5887103
SHA512235604f421d5596f55f22ce59116a6975c527b433c26630c8a0aed7089710a9b4a781db2eae71eb93e7917ed4cf154554bbf37fa2ea4c7c0aaaa7737d96f2933
-
Filesize
8B
MD5378d822ce12583d0d584184af22d1d77
SHA1c062ac770b028df6db676099e02f09fc2f77b171
SHA2561ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7
SHA51223cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397