a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
Size

1.5MB
MD5

66081074e23d7ac3c78c0985f6a24c5c
SHA1

4b6bf640b697f6a4b2e62913ede6891a2e2de202
SHA256

a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db
SHA512

03c9f2367cadb83934cc23ca22222375e4b3adfb8624767752bb769b8513ec6825f4e4b71dbd05bc4f9ae34bacd12d1e056cffb1de1a1628ae04075a4ecad671
SSDEEP

24576:IBAQC7HmUDDPC803QpIY46xNIxuzP2e+2RJXlhO1DrA/1EZ8J/6Q4xUEisz2T:IBAQCXDPCT3QCYroEb2e+2RJO1Ds/1E4

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	Logo1_.exe
2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2992	update.exe

Loads dropped DLL 10 IoCs

pid	Process
2248	cmd.exe
2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2992	update.exe
2992	update.exe
2992	update.exe
2992	update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
File created	C:\Windows\Logo1_.exe	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	\??\c:\windows\KB898715.log	update.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2992	update.exe
Token: SeRestorePrivilege	2992	update.exe
Token: SeRestorePrivilege	2992	update.exe
Token: SeRestorePrivilege	2992	update.exe
Token: SeRestorePrivilege	2992	update.exe
Token: SeRestorePrivilege	2992	update.exe
Token: SeRestorePrivilege	2992	update.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1952	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	28
PID 2920 wrote to memory of 1952	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	28
PID 2920 wrote to memory of 1952	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	28
PID 2920 wrote to memory of 1952	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	28
PID 1952 wrote to memory of 2948	1952	net.exe	30
PID 1952 wrote to memory of 2948	1952	net.exe	30
PID 1952 wrote to memory of 2948	1952	net.exe	30
PID 1952 wrote to memory of 2948	1952	net.exe	30
PID 2920 wrote to memory of 2248	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	31
PID 2920 wrote to memory of 2248	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	31
PID 2920 wrote to memory of 2248	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	31
PID 2920 wrote to memory of 2248	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	31
PID 2920 wrote to memory of 2040	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	33
PID 2920 wrote to memory of 2040	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	33
PID 2920 wrote to memory of 2040	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	33
PID 2920 wrote to memory of 2040	2920	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	33
PID 2040 wrote to memory of 2708	2040	Logo1_.exe	34
PID 2040 wrote to memory of 2708	2040	Logo1_.exe	34
PID 2040 wrote to memory of 2708	2040	Logo1_.exe	34
PID 2040 wrote to memory of 2708	2040	Logo1_.exe	34
PID 2708 wrote to memory of 2552	2708	net.exe	36
PID 2708 wrote to memory of 2552	2708	net.exe	36
PID 2708 wrote to memory of 2552	2708	net.exe	36
PID 2708 wrote to memory of 2552	2708	net.exe	36
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2248 wrote to memory of 2560	2248	cmd.exe	37
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2560 wrote to memory of 2992	2560	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	38
PID 2040 wrote to memory of 2824	2040	Logo1_.exe	39
PID 2040 wrote to memory of 2824	2040	Logo1_.exe	39
PID 2040 wrote to memory of 2824	2040	Logo1_.exe	39
PID 2040 wrote to memory of 2824	2040	Logo1_.exe	39
PID 2824 wrote to memory of 2956	2824	net.exe	41
PID 2824 wrote to memory of 2956	2824	net.exe	41
PID 2824 wrote to memory of 2956	2824	net.exe	41
PID 2824 wrote to memory of 2956	2824	net.exe	41
PID 2040 wrote to memory of 1204	2040	Logo1_.exe	21
PID 2040 wrote to memory of 1204	2040	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
  "C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a167D.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
      "C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2560
    - - \??\c:\61506aecb65bf1584ef6\update\update.exe
        
        c:\61506aecb65bf1584ef6\update\update.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2552
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
27edd294cced0fdf1261a2be12beb18c

SHA1
bcb1909b19a8e6df284ef6d2cbcea01da6198bb7

SHA256
e5e2debb02812311f440ad7689bb8db46367a31e240a22011b5ee0d4e4c918cd

SHA512
d8f46bc13adb794714bb2e95bb77cdda534f4e842e65888f859aafa4fa6072912ab94960fc2e922afd9758595c4891d9ebb94ffcfce5cd573d6dcb3f67617ce9

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
160d72907ba08c09bb389bd2103dc2e7

SHA1
c17e093c36fdf4ebe8739d16412df3a46f47f152

SHA256
c6947429cc3df873c25ca1a9ef6c2a7f01668728fb779c38cf6c78e8c0d825fd

SHA512
572160d80583f13bb3140bdb7f6ae4625498a3d464f7b1f32ef6ed5c11bfa443ede6e5aa10a5d574032c199612b1a1e03fa2103fc67ba730dd54b75146119817

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a167D.bat

Filesize
722B

MD5
cf4bc01fe08ad100ae92c0a3580b5608

SHA1
93f1037d7de8340a0cd2054590323af079439254

SHA256
8a6e4373a09aa03fffcce1b6b6e55a5b3fa7eda9dc4b5c8236f93313f0a8718d

SHA512
758c92bf8fed99f14597b1c635a0fdec6df688acb09933a24dfc800107285b8cb0dd603b185ab5e6f354e9d3e7c16858593aa73a3d7c04c8063c62199bceae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe.exe

Filesize
1.5MB

MD5
8b44f267d215f5ab372a65fc071c42c2

SHA1
66682ed84d2e7d1d2ad19d99d886173a14e307c3

SHA256
cf4591b63d920fc1c4787a5b674cf4f1abe2fef245b19b14970a0f127924841a

SHA512
fa70edee34704e8dbe6dfff921f36c91ca356141bcd0d6d788040b2f4d57abebbaee74bbc8be2988d9c1f42462bc0050c0d7627b6d0d0044cf1b352ed6f37e16

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d9d56e898f9fe3e52f62c443b4066874

SHA1
3dd496210187e236bf545e128e21dd5c53d44a83

SHA256
dfd87b3c1dcf2125f58bf86d1773bfaf2744355ed369f00ea44c72a287c9f72d

SHA512
fe0eaf0c95cd52c8a5c4ce50ae63fd85c7d67ba824b87ab6d9c702ccbde5923e1d6a3cd45aa636b5475494e330fc866e00df8e4fc6e1a2115cef7f7861eaff26

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
1884bfdeea71ff22db39c196f4447c9c

SHA1
3eafc7e6e17ba6ce7a087a3588fb1efb596da038

SHA256
163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

SHA512
b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

Download Submit
\61506aecb65bf1584ef6\_sfx_.dll

Filesize
30KB

MD5
b9b02d97007953e74caaa38497e7278a

SHA1
3954391efec4615a597594b02ad755f539d2fa42

SHA256
e4ecf14cf98b855642505802a04be2035db6e13600112c01632e2e600c8184cc

SHA512
78f39f6c6167ba61f52501912b3c5fa6d8c0d594be9f9a5b888b2cb4e19c1d499328fe28a90cc1457e15b14f78ce5a3591b8ed1468afb8d5e944df07a7ae2c6e

Download Submit
\61506aecb65bf1584ef6\update\update.exe

Filesize
701KB

MD5
3b5eaaedb8a9d3f98debbdb0cfd214d5

SHA1
c9e09f6f6026f928d3d6d9056af868df83bd44ef

SHA256
2e2e9f1ea41d8673bcf69c8c97fc16c22932e2b7807fc87c556516261ea33d99

SHA512
26dbaefdedf9ba0094714f65d78b7c68fefc6afbd937cb0322ac698cbf3d104c4ccfbfb671314d6ea98bce2b0c090e2d4a19441d1abc2acb6b143e05818c2b75

Download Submit
\61506aecb65bf1584ef6\update\updspapi.dll

Filesize
363KB

MD5
ebdb17c673b090a949f17c9e6486aaf3

SHA1
2231731f56f803662e0f1d537b22cba7625ef433

SHA256
f484cf06e20996e1887b4304b33444f3ee1c03fb912f5ec8d5327c4074a97abb

SHA512
b05b2e548c507c2bce556acd43174c2a2743d46ba816896e97a475089237020208c710e25aa204aee40be36cc3c8480da0dc6c383cadf2c619268b48f5e8fe40

Download Submit
memory/1204-83-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2040-86-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-3375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-4198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-12-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/2992-81-0x00000000007E0000-0x000000000083C000-memory.dmp

Filesize
368KB

Download