65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
Size

279KB
MD5

d5018dd648f3d30f30be13ccf753f0d5
SHA1

233590dab8a65e703f31aade6908345ca98f92fb
SHA256

65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6
SHA512

ed6ca78340745722725634325248f461c10a558c8f728a342a1d156c01d1f734c875a1de51550385067ef5b092694cbf5bc274f6230096c5a24def55ba6a501f
SSDEEP

6144:nG5KmhdFu+qQbdy5SahDbyLxoROmeOprx3v0:nP6JqQZy5SfOROj

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4476	Logo1_.exe
4560	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\loc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe
4476	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2736	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	84
PID 224 wrote to memory of 2736	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	84
PID 224 wrote to memory of 2736	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	84
PID 2736 wrote to memory of 428	2736	net.exe	86
PID 2736 wrote to memory of 428	2736	net.exe	86
PID 2736 wrote to memory of 428	2736	net.exe	86
PID 224 wrote to memory of 1028	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	90
PID 224 wrote to memory of 1028	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	90
PID 224 wrote to memory of 1028	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	90
PID 224 wrote to memory of 4476	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	91
PID 224 wrote to memory of 4476	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	91
PID 224 wrote to memory of 4476	224	65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe	91
PID 4476 wrote to memory of 4428	4476	Logo1_.exe	93
PID 4476 wrote to memory of 4428	4476	Logo1_.exe	93
PID 4476 wrote to memory of 4428	4476	Logo1_.exe	93
PID 4428 wrote to memory of 3364	4428	net.exe	95
PID 4428 wrote to memory of 3364	4428	net.exe	95
PID 4428 wrote to memory of 3364	4428	net.exe	95
PID 1028 wrote to memory of 4560	1028	cmd.exe	96
PID 1028 wrote to memory of 4560	1028	cmd.exe	96
PID 1028 wrote to memory of 4560	1028	cmd.exe	96
PID 4476 wrote to memory of 636	4476	Logo1_.exe	97
PID 4476 wrote to memory of 636	4476	Logo1_.exe	97
PID 4476 wrote to memory of 636	4476	Logo1_.exe	97
PID 636 wrote to memory of 1040	636	net.exe	99
PID 636 wrote to memory of 1040	636	net.exe	99
PID 636 wrote to memory of 1040	636	net.exe	99
PID 4476 wrote to memory of 3456	4476	Logo1_.exe	56
PID 4476 wrote to memory of 3456	4476	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
  "C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D3E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe
      "C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe"
      4⤵
      Executes dropped EXE
      PID:4560
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3364
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
8a216d268fb4892b3af2e79a279a2a23

SHA1
51916b0eeb6d61280fac7de0363254427f245762

SHA256
c7a2a1b862ba9fdf706edd930c09dd07af8fb44f3edcfe0a22b41899eebae31d

SHA512
30adf4d918017584c668d9bacf0f6263a9f47087303aaa46ca6a0c9a1e96644fb54b7110ede95819e5782ca189909ce84af8bc80c2a5c1ac21cb62f33f729e93

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
7eb449347ef2ea9d8d32b32df287a34a

SHA1
b31e93d7d54466f711b880e044be05475b38926b

SHA256
f2e5a9fa8ebd41469eebc81fb417510d0b7cdeeb5f04cfa38b95e63e3cd640a2

SHA512
232aa9800d5814cc60f1861afd3aebcc0adcd423559ab92e9f3342b333340c82f8418b7cf8c244fddf954122ced3f6fecf613e40fb2ae3cd896b90bbd5212ecf

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
e9d357d936630a4282349f034fb51052

SHA1
3905031236dfb21491e9ad23e35b0ae261e0739f

SHA256
c74cc9b57276c722bb9774cb84b7e4afd4ea5c9ba1f0fdd77dc21c81b8aaa8c4

SHA512
bf3439117541d47daee8cc6ca363c66dd3d46cbdc5009173572e383dce3b5b83c7575af3317bb2bd50dee757a9a16b82bf386b31d1ba805f23a4d57e484ba2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7D3E.bat

Filesize
722B

MD5
e138f5e184aa79ef59a1f96776dac0a6

SHA1
6f6809c22911eead93d0c28728ff8e9931b3f4ab

SHA256
79c60759f23eb21766493b23727f1f6325c9709c97bc4f2f2ae67dbf1680ce28

SHA512
61a46d660ecf606e0541b63b596cf8d3ae47c2dbb50db8a86507dee7ba0b5736c502e3836c1874b06a014ff412dfd020455c8c8753e608e607a63f72da549e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\65517ce5a8b60ab6a5386afdd85c4e71cbc957b885a51769e302d80151676ab6.exe.exe

Filesize
245KB

MD5
e84927bc7e4bef6af8daf8640d95325e

SHA1
796cfbd54995d1340e3bdd9329e6d165af8c3859

SHA256
7744d4c0da090157809e65259fb2682e8149b3fcf64a055607ab04f0cb732ea6

SHA512
dd8c9e848100b8c67f8ac5a01e76bc11843e36824d501eca797c9560b0c99a1349ede26e5da0f57a1c66c817d0caf99284dbf968e9f5df442a7c64c88dffb261

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
3905de443e3362c9a3cf7a99ec967853

SHA1
fad6b90d31da3df8c885fac5d78de93bec539fec

SHA256
4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c

SHA512
151968a824d131913cec483882b9a636aaa1202647f703b376b495e09f3ac1377aed756e85a449613a9cea4487cf9522ec2951e00ecb095e709eb55d21fe4183

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini

Filesize
9B

MD5
e850d9ceb7ebcc619d731dc2f1377b2b

SHA1
a45553c9057075c02e28f90d5e8ea57a0dddbacc

SHA256
b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

SHA512
be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

Download Submit
memory/224-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-2814-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-8730-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download