30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 17:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
Size

63KB
MD5

1457f2a1c48f28fd70a8edc02976b373
SHA1

ab0dbdd0e98d043960fabc5e1589593f21368876
SHA256

30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3
SHA512

d29523ecbe2bfd17a06dda24bb8fe17b2b4c3243e02c179dc9dda8bd915285a4a84d14461b05f7ce3f7d6d0220f85aaf4e9aa0a08e8306b1855b333c83ea7f65
SSDEEP

1536:6Rcx1aeg1v9OQZVUKM6+kKpUq9khDRGadegghOgmgk:6Rf9lOzKM5pP9k9dehhOgo

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	Logo1_.exe
4504	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Oracle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
File created	C:\Windows\Logo1_.exe	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1860	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	81
PID 1372 wrote to memory of 1860	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	81
PID 1372 wrote to memory of 1860	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	81
PID 1860 wrote to memory of 4572	1860	net.exe	83
PID 1860 wrote to memory of 4572	1860	net.exe	83
PID 1860 wrote to memory of 4572	1860	net.exe	83
PID 1372 wrote to memory of 2228	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	87
PID 1372 wrote to memory of 2228	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	87
PID 1372 wrote to memory of 2228	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	87
PID 1372 wrote to memory of 1408	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	89
PID 1372 wrote to memory of 1408	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	89
PID 1372 wrote to memory of 1408	1372	30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe	89
PID 1408 wrote to memory of 4660	1408	Logo1_.exe	90
PID 1408 wrote to memory of 4660	1408	Logo1_.exe	90
PID 1408 wrote to memory of 4660	1408	Logo1_.exe	90
PID 4660 wrote to memory of 1572	4660	net.exe	92
PID 4660 wrote to memory of 1572	4660	net.exe	92
PID 4660 wrote to memory of 1572	4660	net.exe	92
PID 2228 wrote to memory of 4504	2228	cmd.exe	93
PID 2228 wrote to memory of 4504	2228	cmd.exe	93
PID 2228 wrote to memory of 4504	2228	cmd.exe	93
PID 1408 wrote to memory of 2980	1408	Logo1_.exe	94
PID 1408 wrote to memory of 2980	1408	Logo1_.exe	94
PID 1408 wrote to memory of 2980	1408	Logo1_.exe	94
PID 2980 wrote to memory of 4524	2980	net.exe	96
PID 2980 wrote to memory of 4524	2980	net.exe	96
PID 2980 wrote to memory of 4524	2980	net.exe	96
PID 1408 wrote to memory of 3392	1408	Logo1_.exe	56
PID 1408 wrote to memory of 3392	1408	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
  "C:\Users\Admin\AppData\Local\Temp\30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3AA7.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe
      "C:\Users\Admin\AppData\Local\Temp\30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe"
      4⤵
      Executes dropped EXE
      PID:4504
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1572
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
9c7d11d265c739c3e8e69c24217d0771

SHA1
265e56a482460ebcaa253661e9eadb0bddffe740

SHA256
f3b9689d252f1ea77f89129b634e3219d904dd3f0e9b307130809911c06ca776

SHA512
717beb9a4777ce0cf9474165948f0a74bd1e38f4f73331f265ce2927a756b290d5cc27728c5a85ca69707ab7fcaa51982af0b9807cde15aaa9cd2de502360f3b

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
2186e704236b47c2268b5e251f696330

SHA1
101fdc37baf83fed8f6f8b55f1594a13e5060c4f

SHA256
ece9f7bb3d56dff6b865be7804d66254865ca7211619d517a7cf35cabba05144

SHA512
f0b451724fe6aa486002e6c86951e0089f5bc6f7cca6cf3b0c9cc8fb55cec0e5ae428c5ce00774e7d71b6427261f37573ffe385cac023f213e438fc031fda806

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3AA7.bat

Filesize
722B

MD5
b4b7f1c899b36dbd78f514ab928fbea0

SHA1
19e7c4494455280f0067e06a2603c2bd6c9c1562

SHA256
e7d512a7e517e6caa33f7782b156e68d70506782bcd14f28e6358ec1b45a6a67

SHA512
fe8f4378390d802ab4a0668abf9e4a9381f385ed13b5ad55b14f57685d7c841dc11211bb96456808be728e6ec1bf3a4e77f57bc7882a258094c541130c2412c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\30e867eef787ba59422efcc9c274c8de39bc72db1004df73342077de318c0fc3.exe.exe

Filesize
29KB

MD5
0cac659cc68e68ed44223ddb7343275a

SHA1
cb75dd7034e31eb575668f7c69b7d990653c0248

SHA256
7c32fe8ec1851e273763a2742a67a1f9c09a3725c9eaec76e22fcfc92dda7c88

SHA512
1c0c3b170bed3a3cbd7821dfa008e776df675f620afe85905f84f7d86b68b487206af0c6acf8207ae346b8ae7deb71a756128cb5c199bf648952d2c582aa9023

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
5553d3ee0be1b8b190a8cabf5ac62a7d

SHA1
6e05d4872a18ec838e986aaf8702941fc3ebdbed

SHA256
71cd5ce8ac64bb6d980085861a384c45af9ab7f69e66a1c5425b72f451bba722

SHA512
dca7f12e7f67945e2dfd77ad6180ad2a87d5cac7751715a7a1fb070c7573f9ff3f3911ff28ba96fc47fcb2e7459f0076d167d0dd28edd6d96b0204a4234fc452

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\_desktop.ini

Filesize
8B

MD5
378d822ce12583d0d584184af22d1d77

SHA1
c062ac770b028df6db676099e02f09fc2f77b171

SHA256
1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

SHA512
23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

Download Submit
memory/1372-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1372-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1408-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1408-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1408-3346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1408-8660-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download