48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 04:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
Size

400KB
MD5

46b9bae9cdc0f3824c1f63a92db4381d
SHA1

325f2d5884d24cb1357c1e5e8e9785824188a944
SHA256

48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405
SHA512

a3c5280804e7086af5a6b475a7c5eb8531f3c19c937c7567be8668d1d14de47a2b08ac11fde693d07cfb25cf65cba5725c24e27067a1bf9845539edb6c9f3f3b
SSDEEP

6144:/b+aezsP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1mx:/b+aQahVy41

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
208	Logo1_.exe
1776	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
File created	C:\Windows\Logo1_.exe	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3032	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	83
PID 4896 wrote to memory of 3032	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	83
PID 4896 wrote to memory of 3032	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	83
PID 3032 wrote to memory of 1008	3032	net.exe	86
PID 3032 wrote to memory of 1008	3032	net.exe	86
PID 3032 wrote to memory of 1008	3032	net.exe	86
PID 4896 wrote to memory of 4328	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	89
PID 4896 wrote to memory of 4328	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	89
PID 4896 wrote to memory of 4328	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	89
PID 4896 wrote to memory of 208	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	90
PID 4896 wrote to memory of 208	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	90
PID 4896 wrote to memory of 208	4896	48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe	90
PID 208 wrote to memory of 1532	208	Logo1_.exe	92
PID 208 wrote to memory of 1532	208	Logo1_.exe	92
PID 208 wrote to memory of 1532	208	Logo1_.exe	92
PID 1532 wrote to memory of 2148	1532	net.exe	94
PID 1532 wrote to memory of 2148	1532	net.exe	94
PID 1532 wrote to memory of 2148	1532	net.exe	94
PID 4328 wrote to memory of 1776	4328	cmd.exe	95
PID 4328 wrote to memory of 1776	4328	cmd.exe	95
PID 208 wrote to memory of 3060	208	Logo1_.exe	97
PID 208 wrote to memory of 3060	208	Logo1_.exe	97
PID 208 wrote to memory of 3060	208	Logo1_.exe	97
PID 3060 wrote to memory of 3428	3060	net.exe	99
PID 3060 wrote to memory of 3428	3060	net.exe	99
PID 3060 wrote to memory of 3428	3060	net.exe	99
PID 208 wrote to memory of 3612	208	Logo1_.exe	56
PID 208 wrote to memory of 3612	208	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3612
- C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
  "C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3FE.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe
      "C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe"
      4⤵
      Executes dropped EXE
      PID:1776
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2148
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
69b7d121b13ec132268fd069b07d3ec9

SHA1
d159febba97a36fa19c313ba589212f7b3c835d0

SHA256
415eda3595c50f86cc8a98e49a2439e4d685c65f8032a6c72e80620ca77b7fbe

SHA512
d63861484b2668c28cd511da5f64cac25ae9f47b82fcbc661d0c54c491af8f7c3339010906b2a17f196a56421005ac889fe20f24e05bcb11479e6f191ae0f87d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
1ad09ab121869e9bedf81b1e82331d05

SHA1
21270e52207071b7d304acb7d776c9abba38c15c

SHA256
834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

SHA512
4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB3FE.bat

Filesize
722B

MD5
c43bad6efbe346a848e89e48dced65a1

SHA1
3dcdb652fb09859483e7f726586ef67448111bdb

SHA256
cd734f822530d963cbfb38f80f05d6ad22e6ecd12c89e71a2ed38afae2994af5

SHA512
b5aee23d2cdb9430929b5bf4d4895aeefe2d37757cc4eed5903427f20a26163888b57214277a549c2b4fa5ea87371f2efd7714b391e2e4f73b3e19c1dd541e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\48486ac596a5b4da52f00bf0ba094f5b45829ffb3040074684dd1d63f7ade405.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
cbd6c62ce40b33dafb9c1c34daaee76d

SHA1
63aa66883ebb8481a9b8ad4bbd722cbf3cdaa7a0

SHA256
7b3963c7cb2db990dd1e1ede9a3c814015cb4ea4519ce5314a49f1c32e0ad4b2

SHA512
3e461ad05c6875337f70c5f8a570582b88a8f71ced918ef0a7907495037a4258e950738660fe397213c690023ef9ff7efa2d96b87de3df13a681c06d508c8722

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-384068567-2943195810-3631207890-1000\_desktop.ini

Filesize
9B

MD5
ee036d7bfecde982d31263f77044a72f

SHA1
d575db536fac53ad7f9e8f28fbf32a34aaa54afd

SHA256
6bd2c0216839f407cec78332e286e5649b2f99169f532db4197696fb125339ee

SHA512
7fe9f2de5fb89d0f7d9ddd7a9196ac54c8d159b403a428ffaea985d6bcb73e8e98a9fe36ec4cd102aa76b37f96dcd5c7a2b1abd04634a3489cc3074b57914863

Download Submit
memory/208-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/208-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/208-4004-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/208-8884-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4896-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4896-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download