ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2023 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
Size

2.8MB
MD5

0db2f877034eae2d714b3079697a5792
SHA1

918cc48474a409a6455d37a921b39162915d224c
SHA256

ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19
SHA512

4c4062482897b45a5d4b88284504817bea810b2641e830b149409a5d351a37c327f638cd086be61ea81dea8596c7fda9b905ee21715de71fbea77736b222851d
SSDEEP

49152:o6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:1d1XdhBiiMa7

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1120	Logo1_.exe
496	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
File created	C:\Windows\Logo1_.exe	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe
1120	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4788	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	82
PID 4856 wrote to memory of 4788	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	82
PID 4856 wrote to memory of 4788	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	82
PID 4788 wrote to memory of 1664	4788	net.exe	84
PID 4788 wrote to memory of 1664	4788	net.exe	84
PID 4788 wrote to memory of 1664	4788	net.exe	84
PID 4856 wrote to memory of 1772	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	85
PID 4856 wrote to memory of 1772	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	85
PID 4856 wrote to memory of 1772	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	85
PID 4856 wrote to memory of 1120	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	87
PID 4856 wrote to memory of 1120	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	87
PID 4856 wrote to memory of 1120	4856	ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe	87
PID 1120 wrote to memory of 4428	1120	Logo1_.exe	90
PID 1120 wrote to memory of 4428	1120	Logo1_.exe	90
PID 1120 wrote to memory of 4428	1120	Logo1_.exe	90
PID 4428 wrote to memory of 4164	4428	net.exe	91
PID 4428 wrote to memory of 4164	4428	net.exe	91
PID 4428 wrote to memory of 4164	4428	net.exe	91
PID 1120 wrote to memory of 1612	1120	Logo1_.exe	93
PID 1120 wrote to memory of 1612	1120	Logo1_.exe	93
PID 1120 wrote to memory of 1612	1120	Logo1_.exe	93
PID 1612 wrote to memory of 2508	1612	net.exe	95
PID 1612 wrote to memory of 2508	1612	net.exe	95
PID 1612 wrote to memory of 2508	1612	net.exe	95
PID 1120 wrote to memory of 3192	1120	Logo1_.exe	52
PID 1120 wrote to memory of 3192	1120	Logo1_.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3192
- C:\Users\Admin\AppData\Local\Temp\ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
  "C:\Users\Admin\AppData\Local\Temp\ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB2D5.bat
    3⤵
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe
      "C:\Users\Admin\AppData\Local\Temp\ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe"
      4⤵
      Executes dropped EXE
      PID:496
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4164
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
f113ec0dbd1353dea0bfe91596d40a33

SHA1
d1fed3336384ac56c793bdbc33592c28c5eaaa00

SHA256
201a414fb3585b5a3bba5f210e9c771c4222aa8c6561a6e6d10bce0aeb6409ca

SHA512
3c37b89f08e11b3994dca677b3c77432dbe96eb20a18d0eb686644f627a2a8c4cbbd11cb557141b77cf0881c79119a8015ad9fb287df05f3fd7b5c3ad1932f09

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
3cc995d5492b863b71e1b41fe62f1751

SHA1
ab55b979051f1ea3f148eec25c2ba06f69d3a727

SHA256
ca0dc4f754b431800cc5c366c03f0043da51441c7efe2c03fc350defa9fc0bf5

SHA512
3d09b8f372ac9358944819f20e0e7bc74b4de3d8e1fc76e562b91234a66a2748017e613de7b6fa3720406a56e76fd0b4b2b959b07a76261b7b98f4af0005281c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
f21c2dfde391ab45214bb0248d4bd581

SHA1
1fbaeecc0edf4e060aa3e0d99fa7c0b77c0ead38

SHA256
7bad92eb6ccddf94866799ad54a186ee5eef88c2030219dc02626b9db61f54e0

SHA512
8c3c60f0e026607c129a3b08c6401a9243519c134124859eaa160253bd542297dd8da2f96834a0ccf4a3209119d78a47fb97360fe697a40dd1fb297faf692b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB2D5.bat

Filesize
722B

MD5
ecc5d1ca2546687d94def2bba3e549d7

SHA1
a7fb39331762aeeadb764165860423257034f0e8

SHA256
40dc9d91ff091db11e14a5c2c44d82d86e6c7feeb52ee25b18dce61158cc0678

SHA512
5148ae2e9eab77eea48440d46d01ed9b6edba88d4d5e319097534c860c5e2909936741aa47d96173a63064dbc2b3856489327277e9a7baf4860b3c40f2893688

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce9d756654d78d1a78d4fb528dede195b0029d70af55837b7d9de1d31cf2ba19.exe.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
a043b1636ac93797c40597eb606d8600

SHA1
dfdb44a7e495b6e9aca6ac3aa8e32cecace9d50a

SHA256
ba3b1134537a0250b123d63468f174c263e00331ae9dd05a45d10b08243abf85

SHA512
350e5cb96af9006a9aeec8013188add97f29e4d9f881d4bdf1a8733d9b43cf4a45eabc5d668ac338b2c6be1a3f97d872a52ce18db5036585fed2658577dd2183

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
a043b1636ac93797c40597eb606d8600

SHA1
dfdb44a7e495b6e9aca6ac3aa8e32cecace9d50a

SHA256
ba3b1134537a0250b123d63468f174c263e00331ae9dd05a45d10b08243abf85

SHA512
350e5cb96af9006a9aeec8013188add97f29e4d9f881d4bdf1a8733d9b43cf4a45eabc5d668ac338b2c6be1a3f97d872a52ce18db5036585fed2658577dd2183

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
a043b1636ac93797c40597eb606d8600

SHA1
dfdb44a7e495b6e9aca6ac3aa8e32cecace9d50a

SHA256
ba3b1134537a0250b123d63468f174c263e00331ae9dd05a45d10b08243abf85

SHA512
350e5cb96af9006a9aeec8013188add97f29e4d9f881d4bdf1a8733d9b43cf4a45eabc5d668ac338b2c6be1a3f97d872a52ce18db5036585fed2658577dd2183

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\_desktop.ini

Filesize
9B

MD5
c0232c2f01c543d260713210da47a57b

SHA1
63f2c13c2c5c83091133c2802e69993d52e3ec65

SHA256
278e1b8fd3f40d95faaecf548098b8d9ee4b32e98a8878559c8c8dfcd5cd1197

SHA512
2ccfd67393a63f03f588296bb798d7a7d4ec2ea5d6ac486cb7bdf8a5a66b1df944d8b548f317e58bfe17dea2ae54e536ffe77bc11a43c931f3d10e299ab3fca0

Download Submit
memory/1120-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-1231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-4346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-7827-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1120-8697-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download