51ed0ccf2ee16871ab39c8631be12f3f077c5bd9b62eb4951b3695e238c2468e

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
Size

562KB
MD5

71d804c8cf876e65e93d58c79177c313
SHA1

41f12a009ee03714125acf9ef810d00d0d663e57
SHA256

51ed0ccf2ee16871ab39c8631be12f3f077c5bd9b62eb4951b3695e238c2468e
SHA512

0f45ed09d3c57a28b6dd58d542fdc5ebce02a734125d2ed53f433135a338b2563d56054d4f00632367cc8aa710b51ee9fbb6756cbeb3f8db705d9145b3c2800f
SSDEEP

12288:I+aUc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:IBgVm2VZQwy9E1Vf3M

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	Logo1_.exe
2860	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
File created	C:\Windows\Logo1_.exe	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2872	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	30
PID 2876 wrote to memory of 2872	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	30
PID 2876 wrote to memory of 2872	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	30
PID 2876 wrote to memory of 2872	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	30
PID 2872 wrote to memory of 3028	2872	net.exe	32
PID 2872 wrote to memory of 3028	2872	net.exe	32
PID 2872 wrote to memory of 3028	2872	net.exe	32
PID 2872 wrote to memory of 3028	2872	net.exe	32
PID 2876 wrote to memory of 2708	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	33
PID 2876 wrote to memory of 2708	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	33
PID 2876 wrote to memory of 2708	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	33
PID 2876 wrote to memory of 2708	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	33
PID 2876 wrote to memory of 2696	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	35
PID 2876 wrote to memory of 2696	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	35
PID 2876 wrote to memory of 2696	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	35
PID 2876 wrote to memory of 2696	2876	Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe	35
PID 2696 wrote to memory of 2672	2696	Logo1_.exe	36
PID 2696 wrote to memory of 2672	2696	Logo1_.exe	36
PID 2696 wrote to memory of 2672	2696	Logo1_.exe	36
PID 2696 wrote to memory of 2672	2696	Logo1_.exe	36
PID 2708 wrote to memory of 2860	2708	cmd.exe	38
PID 2708 wrote to memory of 2860	2708	cmd.exe	38
PID 2708 wrote to memory of 2860	2708	cmd.exe	38
PID 2708 wrote to memory of 2860	2708	cmd.exe	38
PID 2672 wrote to memory of 2692	2672	net.exe	39
PID 2672 wrote to memory of 2692	2672	net.exe	39
PID 2672 wrote to memory of 2692	2672	net.exe	39
PID 2672 wrote to memory of 2692	2672	net.exe	39
PID 2696 wrote to memory of 1452	2696	Logo1_.exe	40
PID 2696 wrote to memory of 1452	2696	Logo1_.exe	40
PID 2696 wrote to memory of 1452	2696	Logo1_.exe	40
PID 2696 wrote to memory of 1452	2696	Logo1_.exe	40
PID 1452 wrote to memory of 2552	1452	net.exe	42
PID 1452 wrote to memory of 2552	1452	net.exe	42
PID 1452 wrote to memory of 2552	1452	net.exe	42
PID 1452 wrote to memory of 2552	1452	net.exe	42
PID 2696 wrote to memory of 1192	2696	Logo1_.exe	21
PID 2696 wrote to memory of 1192	2696	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
  "C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a96F2.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe
      "C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe"
      4⤵
      Executes dropped EXE
      PID:2860
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
c3edc0f096e5b0e8e5756f988af26b69

SHA1
3ff38578d6d90758e3485f6cd8792bedf925dbe5

SHA256
a47a6432c68488361e77f6b2ffe00f6a389bbefa612999d647342af6e5d9ebb1

SHA512
d4fa7452579befb4eb563c29e41474c45b515a3ac896db2282669ebd43a0cdcf3965fb4f18c5b78372ac1f9f4be27f81521b5ee6e278cee9cf4d7a373ae32197

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
477KB

MD5
c32f3ae2a93a21a604cd493d86b40278

SHA1
4428387f1a1dd12ff5607459bcf4d89cd8ed80fe

SHA256
b84bbbbc007c88ca79ea94b2cf92e7a3093c8de3a8ce4b70b6f4d0a9480595a8

SHA512
5e7bb3318deebf7663fc4b9c3b20ce75986e32cbb27c34ec94fccf5affde4f0dd9e5dd0bef38510d088ec00b885dccafff09706a75fd927f882540ead7cc7965

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a96F2.bat

Filesize
728B

MD5
d152068eb3e9c2f6fce61bd4285cbcca

SHA1
a91bcc32b90d696d706bac59f1d70ff19ffa88a5

SHA256
273cd6dcc69cea053e13fe2fc9f406addfdb4096e75fac75dd5f3d2a6cc974a9

SHA512
9556ff3ca5942f911eca687ebb863739956d5bf719b82cd0de84ab3dd2c02a3ff1ff9635dd4d03523ed7286704aeabeaa131c83b381e47eb4caf79774272f629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.Injector.ATA_virussign.com_71d804c8cf876e65e93d58c79177c313.exe.exe

Filesize
529KB

MD5
cca0c5482b8a6a275d9d49433f435dfa

SHA1
a72ae8621386e13c34055f612ae7612b8a18a39e

SHA256
6ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365

SHA512
b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
8db8f01ff3888c1cf7faa0d7bee56fac

SHA1
2e67943b7b89ed681aad28d547f5fe105b8d6bbb

SHA256
ec7ddca76eda53f8cd5276c1300d78e1ac0e29c6eb14d95f0e6342ad97acf100

SHA512
e87cca7c2892bc440f2d9a7de9935395a17726df780e56feb861d3219a8586993bd7b95f610609c589ebc694469eb1213d5e39986a90b83a48f5475ed3da547a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
8B

MD5
24cfb7e9169e3ecbcdf34395dff5aed0

SHA1
64061d8b0afd788fb3d2990e90e61f14010896dd

SHA256
e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

SHA512
a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

Download Submit
memory/1192-30-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2696-34-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-1140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-3346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-6512-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-9329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-16-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2876-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-18-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download