da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
Size

264KB
MD5

c31ac8f84f6cab4e929a81f98b942085
SHA1

7a1410de4243ac6b8216a4a78bf062b5d69fb5d9
SHA256

da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f
SHA512

a261103e2cad90a075f0b8d4f3db08e42c4b157a34e815ce4b66ce2894e7bdcf1c3f1b6f4f9e0f0e38b773255ea3752a929d39c750b6af72fa5c37ad0ec24066
SSDEEP

1536:21psrz8GvnGxILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uhg:2G8a4LRkgUA1nQZwFGVO4Mqg+WDY

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	Logo1_.exe
2548	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe

Loads dropped DLL 1 IoCs

pid	Process
2712	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
File created	C:\Windows\Logo1_.exe	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2680	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	31
PID 2268 wrote to memory of 2680	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	31
PID 2268 wrote to memory of 2680	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	31
PID 2268 wrote to memory of 2680	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	31
PID 2680 wrote to memory of 2764	2680	net.exe	33
PID 2680 wrote to memory of 2764	2680	net.exe	33
PID 2680 wrote to memory of 2764	2680	net.exe	33
PID 2680 wrote to memory of 2764	2680	net.exe	33
PID 2268 wrote to memory of 2712	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	34
PID 2268 wrote to memory of 2712	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	34
PID 2268 wrote to memory of 2712	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	34
PID 2268 wrote to memory of 2712	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	34
PID 2268 wrote to memory of 2588	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	36
PID 2268 wrote to memory of 2588	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	36
PID 2268 wrote to memory of 2588	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	36
PID 2268 wrote to memory of 2588	2268	da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe	36
PID 2588 wrote to memory of 2716	2588	Logo1_.exe	37
PID 2588 wrote to memory of 2716	2588	Logo1_.exe	37
PID 2588 wrote to memory of 2716	2588	Logo1_.exe	37
PID 2588 wrote to memory of 2716	2588	Logo1_.exe	37
PID 2716 wrote to memory of 2772	2716	net.exe	39
PID 2716 wrote to memory of 2772	2716	net.exe	39
PID 2716 wrote to memory of 2772	2716	net.exe	39
PID 2716 wrote to memory of 2772	2716	net.exe	39
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2712 wrote to memory of 2548	2712	cmd.exe	40
PID 2588 wrote to memory of 2624	2588	Logo1_.exe	41
PID 2588 wrote to memory of 2624	2588	Logo1_.exe	41
PID 2588 wrote to memory of 2624	2588	Logo1_.exe	41
PID 2588 wrote to memory of 2624	2588	Logo1_.exe	41
PID 2624 wrote to memory of 3068	2624	net.exe	43
PID 2624 wrote to memory of 3068	2624	net.exe	43
PID 2624 wrote to memory of 3068	2624	net.exe	43
PID 2624 wrote to memory of 3068	2624	net.exe	43
PID 2588 wrote to memory of 1196	2588	Logo1_.exe	21
PID 2588 wrote to memory of 1196	2588	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
  "C:\Users\Admin\AppData\Local\Temp\da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aECFE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe
      "C:\Users\Admin\AppData\Local\Temp\da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2548
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
c675787d39d28189dd17754b10c3ec6a

SHA1
fbc251c2e8ad1f24a88e68a5a91342c5cc2c1767

SHA256
dadd29307939194301fdeecca0711355aab55bb6792b5694545391e3adc96328

SHA512
05247491b1be100571f619e86ee277d3c19fc573ac0a3ae75f6de8ef8e79ee77747aca8d5a60a406d40513f83c0edbdfe5da6842f67222f28e98784e20e94ca0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
8ef1a94c2988444c9d5d6c36a63765d3

SHA1
d566ce1693e16fd605afcf2c5ea87af57af56197

SHA256
ab3dfdf37c3eaae2dbeb15b4e6be3659187e8e3613450664160702c787cf1623

SHA512
991fc8c061d831e96f6e061ec85f6d5c2aa7e7380a949bd04193ef6b0f8d495a462bf6b9bcafbd2893eefa0195bf4a191a923c36f4845e6f44a86be1e1ded45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aECFE.bat

Filesize
722B

MD5
1da5b8c726bda016222813460341cb26

SHA1
fb8898d9f2c1074d69e836c8bf1f3a507a3f0a9d

SHA256
75a29687ee01b79b2ffc721700dea8a6a71beadfc9d7b97321038d9309b29af8

SHA512
0f72a24237bc6245aee922ec723fc6465863dcb9d28c3df6c946b360c3e2ff2c13da84a9c47e9994a43018b23b5bfe50a51fdc960ace7a30b266054ccccb287c

Download Submit
C:\Users\Admin\AppData\Local\Temp\da277dbbb9a83da7d03b2abe2462ebf9ed606a64a7dc4ce3a425b7b939f9b17f.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
775b5b764d666c3f5bbe02f1169bf91f

SHA1
212e1d0ce212d41757d153b51c569a7451f3dea5

SHA256
05d7bcc1d42cf80c469164afef0f3470b3745027ce78c77b972cde2b3da6b972

SHA512
14d015b5fd7337eeaaa47392d38db74a0b8bdbe9efb58f10afea74ac54e140ad51026166dc290afd412de261c27d4c1c6f85050bd665ff072394811110d87b3a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini

Filesize
9B

MD5
e2a14c19421b289cbd51a76363b166bd

SHA1
5d0621d68da5a444f49c090b0725c7044d47fdb7

SHA256
844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

SHA512
8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

Download Submit
memory/1196-28-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2268-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-18-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2588-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-2963-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-4157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download