60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
Size

165KB
MD5

58fe55c3334ded3c62ff2154e8b566c6
SHA1

bae3c1bee6d3745413b9fa7fc85c90baac199e1d
SHA256

60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9
SHA512

fcd2d607564b786a99a69b180ffffdbbb1acd77ea0f0f2be75c30e708306cdad6401991aabad0e353d845290940875585619eb46d8344a89c8b92bfac00aa1b0
SSDEEP

3072:PGTaY46tGNttyJQ7KRZ99djmMGWBgh1002J8emEu3T7TO+9Z9sTOVrZzxVxU:ul46tGdytYWBW1Wu3rOOuOVr8

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
2632	Logo1_.exe
2640	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
1200	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
2724	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
File created	C:\Windows\Logo1_.exe	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
2640	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2196	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	30
PID 2824 wrote to memory of 2196	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	30
PID 2824 wrote to memory of 2196	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	30
PID 2824 wrote to memory of 2196	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	30
PID 2196 wrote to memory of 2176	2196	net.exe	32
PID 2196 wrote to memory of 2176	2196	net.exe	32
PID 2196 wrote to memory of 2176	2196	net.exe	32
PID 2196 wrote to memory of 2176	2196	net.exe	32
PID 2824 wrote to memory of 2724	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	33
PID 2824 wrote to memory of 2724	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	33
PID 2824 wrote to memory of 2724	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	33
PID 2824 wrote to memory of 2724	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	33
PID 2824 wrote to memory of 2632	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	35
PID 2824 wrote to memory of 2632	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	35
PID 2824 wrote to memory of 2632	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	35
PID 2824 wrote to memory of 2632	2824	60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe	35
PID 2632 wrote to memory of 2636	2632	Logo1_.exe	36
PID 2632 wrote to memory of 2636	2632	Logo1_.exe	36
PID 2632 wrote to memory of 2636	2632	Logo1_.exe	36
PID 2632 wrote to memory of 2636	2632	Logo1_.exe	36
PID 2636 wrote to memory of 3024	2636	net.exe	38
PID 2636 wrote to memory of 3024	2636	net.exe	38
PID 2636 wrote to memory of 3024	2636	net.exe	38
PID 2636 wrote to memory of 3024	2636	net.exe	38
PID 2724 wrote to memory of 2640	2724	cmd.exe	39
PID 2724 wrote to memory of 2640	2724	cmd.exe	39
PID 2724 wrote to memory of 2640	2724	cmd.exe	39
PID 2724 wrote to memory of 2640	2724	cmd.exe	39
PID 2632 wrote to memory of 380	2632	Logo1_.exe	40
PID 2632 wrote to memory of 380	2632	Logo1_.exe	40
PID 2632 wrote to memory of 380	2632	Logo1_.exe	40
PID 2632 wrote to memory of 380	2632	Logo1_.exe	40
PID 380 wrote to memory of 1164	380	net.exe	42
PID 380 wrote to memory of 1164	380	net.exe	42
PID 380 wrote to memory of 1164	380	net.exe	42
PID 380 wrote to memory of 1164	380	net.exe	42
PID 2632 wrote to memory of 1200	2632	Logo1_.exe	21
PID 2632 wrote to memory of 1200	2632	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1200
- C:\Users\Admin\AppData\Local\Temp\60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
  "C:\Users\Admin\AppData\Local\Temp\60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6BBE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe
      "C:\Users\Admin\AppData\Local\Temp\60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2640
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
25f6918160dd06a3fee44112703a34b1

SHA1
aa82bf41243d0ff1b52a8022d706aaaa36ea3507

SHA256
e2f93a0e631d696634eee9a18a15a1ed482c6d7050649e3b5a3892a88000fd47

SHA512
1f4ddd72443748d63be128a50c0d5fbe479d12aa3c101aaff451ae59d44006573d94a01dd508bea5f752cd0300262923505d48a4f5a436f22c6f80b83c4f9907

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6BBE.bat

Filesize
722B

MD5
f1063a21f8d3cf38999bfcc460be659f

SHA1
aed0b1866e31bf3fda1967a3d059ba67b28d9c9f

SHA256
f092e2719909b3bd6eb433977412c5e5d834412e817f10086429e7b4bc06608d

SHA512
3e4b5c627cbcb635f62dbde8f7fb7a1ba63df8ccf2c6b557fd8e555e1b0c9abccab631074557c30c3a1c41649e22e6aa5311623bbe84635abd257b047dad37a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\60cd3fd52a974569fb704e8ceab9a9365fcfbc0bb1ece5293ed991865c2928c9.exe.exe

Filesize
131KB

MD5
16438a96a8adb85472ca72da04701b29

SHA1
b1f5ee8bc083804de4de820255107f6541c84735

SHA256
9291cd97d2f1b119438f16e97ea75119f19fd959ec5414e84b337530d692e289

SHA512
58f659a29cb34245a261b7666b1cda4b76f2df1039f3713dda6ff5a97c33b4cc273b110d10b4131a6a5c13897efcfa9a5ef3031e0e5fb14db1adc0ac1ef25dcd

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
8e6c2527694305466e8cade2a7610544

SHA1
101649b6eb1e5ddf85cc53087cf9b663bac1d23a

SHA256
e4117bf04f097021f5f44b8c8270bf6dfc1feedc4a7738b832469f43d9381941

SHA512
c7dcc9eb13d5a2bd370f596464e0ac64418b11234ccac3cfcd337dbb17b283cc9ae93e28d823c9c25669cdeb8e0664d9b38e9dd263906daadc596ab2de1bd3ff

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
8B

MD5
1c0fbf3204f05014248f47b58290aa63

SHA1
233eb8afaf33fab1e8e7c12d4a28e9ecdce776af

SHA256
5dad5b90d650fe88de482f53849dbbc0b9edc4e10d667217f21197ff4f9a3a7d

SHA512
3427d4cdaede981196902eb08658304ace7b034e2043ed0bcc5daa285e3dafab17a1256f5c148af9e048ef9469ff4b930643c09263f2bf9a8adb6a15b26c2808

Download Submit
memory/1200-30-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2632-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-2964-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-4156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-25-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2640-35-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2824-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-16-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download