60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c

General

Target

60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
Size

130KB
MD5

367d663b41a11fa2a6a33f76db2f3540
SHA1

d3ddf332930fe9ccf664a27b643ba7a87503e7d6
SHA256

60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c
SHA512

23ddc16bd0548b15ff12d8e0be3a6b725942da7329bac793c794332756f7f9efec2c91cc44063601a80782df599895913e3147e9bfaf63e62bb038a40ec464a2
SSDEEP

3072:VTre+ao/3N/YJEgPbtNLHBlQZfIWC6xXMIYga:c+ao1/YDtN7KcIYZ

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exeExplorer.EXE

pid process

1696 Logo1_.exe
1776 60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1236 Explorer.EXE
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

768 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

768 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1696	Logo1_.exe
1776	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1236	Explorer.EXE

pid	process
768	cmd.exe

pid	process
768	cmd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
File created	C:\Windows\Logo1_.exe	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exeLogo1_.exe

pid	process
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe
1696	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe

pid	process
1776	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
1776	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1516 wrote to memory of 1576	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	net.exe
PID 1516 wrote to memory of 1576	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	net.exe
PID 1516 wrote to memory of 1576	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	net.exe
PID 1516 wrote to memory of 1576	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	net.exe
PID 1576 wrote to memory of 1224	1576	net.exe	net1.exe
PID 1576 wrote to memory of 1224	1576	net.exe	net1.exe
PID 1576 wrote to memory of 1224	1576	net.exe	net1.exe
PID 1576 wrote to memory of 1224	1576	net.exe	net1.exe
PID 1516 wrote to memory of 768	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	cmd.exe
PID 1516 wrote to memory of 768	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	cmd.exe
PID 1516 wrote to memory of 768	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	cmd.exe
PID 1516 wrote to memory of 768	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	cmd.exe
PID 1516 wrote to memory of 1696	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	Logo1_.exe
PID 1516 wrote to memory of 1696	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	Logo1_.exe
PID 1516 wrote to memory of 1696	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	Logo1_.exe
PID 1516 wrote to memory of 1696	1516	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe	Logo1_.exe
PID 1696 wrote to memory of 1500	1696	Logo1_.exe	net.exe
PID 1696 wrote to memory of 1500	1696	Logo1_.exe	net.exe
PID 1696 wrote to memory of 1500	1696	Logo1_.exe	net.exe
PID 1696 wrote to memory of 1500	1696	Logo1_.exe	net.exe
PID 1500 wrote to memory of 108	1500	net.exe	net1.exe
PID 1500 wrote to memory of 108	1500	net.exe	net1.exe
PID 1500 wrote to memory of 108	1500	net.exe	net1.exe
PID 1500 wrote to memory of 108	1500	net.exe	net1.exe
PID 768 wrote to memory of 1776	768	cmd.exe	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
PID 768 wrote to memory of 1776	768	cmd.exe	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
PID 768 wrote to memory of 1776	768	cmd.exe	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
PID 768 wrote to memory of 1776	768	cmd.exe	60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
PID 1696 wrote to memory of 968	1696	Logo1_.exe	net.exe
PID 1696 wrote to memory of 968	1696	Logo1_.exe	net.exe
PID 1696 wrote to memory of 968	1696	Logo1_.exe	net.exe
PID 1696 wrote to memory of 968	1696	Logo1_.exe	net.exe
PID 968 wrote to memory of 1344	968	net.exe	net1.exe
PID 968 wrote to memory of 1344	968	net.exe	net1.exe
PID 968 wrote to memory of 1344	968	net.exe	net1.exe
PID 968 wrote to memory of 1344	968	net.exe	net1.exe
PID 1696 wrote to memory of 1236	1696	Logo1_.exe	Explorer.EXE
PID 1696 wrote to memory of 1236	1696	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
"C:\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2608.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe
"C:\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:108

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a2608.bat

Filesize
722B

MD5
4857a0caeff8abcb844dab7d9d07dc05

SHA1
10d50cf358d114ca3a786d7bd19ded38afd0d6df

SHA256
6f41b873a4fb05f1875798e877fb13a732191aa46a62e06b2c2e59bf8e217bb6

SHA512
59637e65f1abbd5e6a9a1c02ea07747f2a1de014bf28642d6a9e49b0001d9529e0dd30bc1c59dfaa932882a5226532e89d6b58ffc6bfd570ca9b3ef5406148d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe

Filesize
96KB

MD5
9d4df63bd8e402563e77346cea1358de

SHA1
ef0ad30f93bf57ca391b60517c1a42f1d5c524cf

SHA256
dd8e7b74748ca2b7f88b393a1edafde2f96a1a928fa694a7fa44af2f97aa02d1

SHA512
99b383c57aa1cf81543e963fb69248d2ee375f94e1c78e6228c4e66308ce33af92b395a437d9d10e7aad9a1d066b49716f02b49bcd4161569cd33147d25f79ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe.exe

Filesize
96KB

MD5
9d4df63bd8e402563e77346cea1358de

SHA1
ef0ad30f93bf57ca391b60517c1a42f1d5c524cf

SHA256
dd8e7b74748ca2b7f88b393a1edafde2f96a1a928fa694a7fa44af2f97aa02d1

SHA512
99b383c57aa1cf81543e963fb69248d2ee375f94e1c78e6228c4e66308ce33af92b395a437d9d10e7aad9a1d066b49716f02b49bcd4161569cd33147d25f79ab

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
16fd3807ffc5cabf5ddd0c85848f74ce

SHA1
db57e93a46eea2e9fa245b5e6ced21987a10fd98

SHA256
0f2f83db0723a7c8d1d853b2a6ff4080925937f4c3910355d66a0adec7363b50

SHA512
23a98cf4f1df516a4f0b936522de5eb71b8819196352e9ca2325a65dc98db80da066116278adf97c6ae996b8cf34e31c47a98fb4c6002d4ea554e7624bbef00f

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
16fd3807ffc5cabf5ddd0c85848f74ce

SHA1
db57e93a46eea2e9fa245b5e6ced21987a10fd98

SHA256
0f2f83db0723a7c8d1d853b2a6ff4080925937f4c3910355d66a0adec7363b50

SHA512
23a98cf4f1df516a4f0b936522de5eb71b8819196352e9ca2325a65dc98db80da066116278adf97c6ae996b8cf34e31c47a98fb4c6002d4ea554e7624bbef00f

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
16fd3807ffc5cabf5ddd0c85848f74ce

SHA1
db57e93a46eea2e9fa245b5e6ced21987a10fd98

SHA256
0f2f83db0723a7c8d1d853b2a6ff4080925937f4c3910355d66a0adec7363b50

SHA512
23a98cf4f1df516a4f0b936522de5eb71b8819196352e9ca2325a65dc98db80da066116278adf97c6ae996b8cf34e31c47a98fb4c6002d4ea554e7624bbef00f

Download Submit
\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe

Filesize
96KB

MD5
9d4df63bd8e402563e77346cea1358de

SHA1
ef0ad30f93bf57ca391b60517c1a42f1d5c524cf

SHA256
dd8e7b74748ca2b7f88b393a1edafde2f96a1a928fa694a7fa44af2f97aa02d1

SHA512
99b383c57aa1cf81543e963fb69248d2ee375f94e1c78e6228c4e66308ce33af92b395a437d9d10e7aad9a1d066b49716f02b49bcd4161569cd33147d25f79ab

Download Submit
\Users\Admin\AppData\Local\Temp\60eb9df96eea5db1d3d0037b06d7db030028cedf37548fd95cf8607704e8b49c.exe

Filesize
96KB

MD5
9d4df63bd8e402563e77346cea1358de

SHA1
ef0ad30f93bf57ca391b60517c1a42f1d5c524cf

SHA256
dd8e7b74748ca2b7f88b393a1edafde2f96a1a928fa694a7fa44af2f97aa02d1

SHA512
99b383c57aa1cf81543e963fb69248d2ee375f94e1c78e6228c4e66308ce33af92b395a437d9d10e7aad9a1d066b49716f02b49bcd4161569cd33147d25f79ab

Download Submit
memory/108-65-0x0000000000000000-mapping.dmp

Download
memory/768-57-0x0000000000000000-mapping.dmp

Download
memory/968-73-0x0000000000000000-mapping.dmp

Download
memory/1224-55-0x0000000000000000-mapping.dmp

Download
memory/1344-74-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x0000000000000000-mapping.dmp

Download
memory/1516-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-54-0x0000000000000000-mapping.dmp

Download
memory/1696-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-58-0x0000000000000000-mapping.dmp

Download
memory/1696-75-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-69-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/1776-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads