a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9

Analysis

max time kernel
150s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
Size

264KB
MD5

12fd9a9b45f37d850cdb0bbef4db0777
SHA1

7c44fd6168c42782eedec33a646d6417ef9bf0c1
SHA256

a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9
SHA512

19f968c2f0458b88a84848a51e12006ad15972382b96a3f80a9a5a2018d54fc78872e3c0da0df1cc26849bb6bd67abb14c6f1c53338e3afd8d4f2231a4670101
SSDEEP

3072:Oh+ke+aX3zX8QBD1pLRkgUA1nQZwFGVO4Mqg+WDY:D+aX3zJBXLRp1nQ4QLd

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2912	Logo1_.exe
4996	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Multimedia Platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
File created	C:\Windows\Logo1_.exe	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 932	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	82
PID 2460 wrote to memory of 932	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	82
PID 2460 wrote to memory of 932	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	82
PID 932 wrote to memory of 1344	932	net.exe	84
PID 932 wrote to memory of 1344	932	net.exe	84
PID 932 wrote to memory of 1344	932	net.exe	84
PID 2460 wrote to memory of 4012	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	89
PID 2460 wrote to memory of 4012	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	89
PID 2460 wrote to memory of 4012	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	89
PID 2460 wrote to memory of 2912	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	91
PID 2460 wrote to memory of 2912	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	91
PID 2460 wrote to memory of 2912	2460	a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe	91
PID 2912 wrote to memory of 5044	2912	Logo1_.exe	92
PID 2912 wrote to memory of 5044	2912	Logo1_.exe	92
PID 2912 wrote to memory of 5044	2912	Logo1_.exe	92
PID 5044 wrote to memory of 2696	5044	net.exe	94
PID 5044 wrote to memory of 2696	5044	net.exe	94
PID 5044 wrote to memory of 2696	5044	net.exe	94
PID 4012 wrote to memory of 4996	4012	cmd.exe	95
PID 4012 wrote to memory of 4996	4012	cmd.exe	95
PID 4012 wrote to memory of 4996	4012	cmd.exe	95
PID 2912 wrote to memory of 4832	2912	Logo1_.exe	96
PID 2912 wrote to memory of 4832	2912	Logo1_.exe	96
PID 2912 wrote to memory of 4832	2912	Logo1_.exe	96
PID 4832 wrote to memory of 3388	4832	net.exe	98
PID 4832 wrote to memory of 3388	4832	net.exe	98
PID 4832 wrote to memory of 3388	4832	net.exe	98
PID 2912 wrote to memory of 3404	2912	Logo1_.exe	56
PID 2912 wrote to memory of 3404	2912	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
  "C:\Users\Admin\AppData\Local\Temp\a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C7C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe
      "C:\Users\Admin\AppData\Local\Temp\a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe"
      4⤵
      Executes dropped EXE
      PID:4996
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
d8db94d08b248211444185e6ef24fe61

SHA1
d933c595dee275b8d126122efd567d7d62a7d1cf

SHA256
fbaf522161a297910167730a207631c12ab0eeec07988685bf2e4d3e53a0b860

SHA512
26f0d7dbe438e3559fdd11235f6aeb30357e985b8d21034f49b913c420a07c9db27d7dcabea10ce0c1f1b7fb5daf3ba6a99a5e335e2e0f2e9bd50bf08989d524

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
bed65efdbba11616bf37876a0578d38a

SHA1
8140fc91ec18276cbd32e51a6add5e92aefa4944

SHA256
f234d5e1aa8e64f8f65912744893692b073e8c646f0c0c31762407237885d621

SHA512
2dcc753197fa5bc418941e933c76c5ff3298f0071924e72e38120266ce96eebf53fbd018b89a126788c8f14e0d6a12aa8a5991c4dd0debbc1220640d1add17aa

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
3e5d2a16f1fedf826992c1d3727232a8

SHA1
47096d6f91b955c6918de4fc3101785cc0de5319

SHA256
17653549207d5131192f87881dcc02a5178e7876211a5edd05b104bdb3e5b329

SHA512
37da95832ff5f7819d2d4a2e84923026f23ecc301c761b27eeafee2d414aeab91b73273a9e503867a8461c08283acdd715464171b251e6d005a67e125bce936d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3C7C.bat

Filesize
722B

MD5
2ce0ec1385d0a2fc5e101eca0fcce535

SHA1
056a613a465fdf81e453b0eeb55a2d317e320f62

SHA256
5fd2585b10d7c4a8bf0c58b84518671aa3a26a2d429ac03c394dfdf1c366fcf7

SHA512
bd0e07274af26252f3ff3af98109dc3c8d74528f05e0db614e25e02a3c43f127f05866e3fc564a3bd2a9856cc9f3d848b275a8d259571f4e9466a8a0840ec6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0147682b27f52290a0c4743d072f99f9fb84acfc494a5288fcacd68dac292b9.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
889b263aa6dca72c5b323bb3b4900aa4

SHA1
f3b4d4b6e721c17271e49473b327c1c74141ebcb

SHA256
749c032c705049445dcb20bc3a92ee321c8d3fa9c0c188d584274dfd313d9afe

SHA512
cc86401682ec6349837d005b99b4ccbb856820a168de76c98fae57b1145b3543fedea4525612136f94ba63351a36df0890f7fc6ed25a060894da1cdd63f29f72

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini

Filesize
8B

MD5
d970a2bfcaa076939c06270d1a48dec8

SHA1
7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

SHA256
bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

SHA512
ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

Download Submit
memory/2460-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-5267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-8706-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download