e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
Size

62KB
MD5

b448a4ed020d6d8280086c0a7c1c9431
SHA1

954dc1dab428145a82e4c85e1b94fa1adddf58b6
SHA256

e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee
SHA512

46b0af3e5f1102d62cde17bc6ea893a704e6abea3ef8cd354d2feb7e28fe401515ac73f00fb0f311b1fc23fef2f87a7cbc57aa5d4e932720a8ea5c84554173b4
SSDEEP

1536:4uue+Zk77RNtMy/tgTM/OqxPAq9khDRGadegghOgmgk:4Ze+aX3tM6gT9oL9k9dehhOgo

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4856	Logo1_.exe
260	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\Sigma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\EBWebView\x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
File created	C:\Windows\Logo1_.exe	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 4532	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	95
PID 3464 wrote to memory of 4532	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	95
PID 3464 wrote to memory of 4532	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	95
PID 4532 wrote to memory of 1340	4532	net.exe	97
PID 4532 wrote to memory of 1340	4532	net.exe	97
PID 4532 wrote to memory of 1340	4532	net.exe	97
PID 3464 wrote to memory of 3920	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	98
PID 3464 wrote to memory of 3920	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	98
PID 3464 wrote to memory of 3920	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	98
PID 3464 wrote to memory of 4856	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	100
PID 3464 wrote to memory of 4856	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	100
PID 3464 wrote to memory of 4856	3464	e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe	100
PID 4856 wrote to memory of 3980	4856	Logo1_.exe	101
PID 4856 wrote to memory of 3980	4856	Logo1_.exe	101
PID 4856 wrote to memory of 3980	4856	Logo1_.exe	101
PID 3980 wrote to memory of 2016	3980	net.exe	103
PID 3980 wrote to memory of 2016	3980	net.exe	103
PID 3980 wrote to memory of 2016	3980	net.exe	103
PID 3920 wrote to memory of 260	3920	cmd.exe	104
PID 3920 wrote to memory of 260	3920	cmd.exe	104
PID 3920 wrote to memory of 260	3920	cmd.exe	104
PID 4856 wrote to memory of 4660	4856	Logo1_.exe	105
PID 4856 wrote to memory of 4660	4856	Logo1_.exe	105
PID 4856 wrote to memory of 4660	4856	Logo1_.exe	105
PID 4660 wrote to memory of 3156	4660	net.exe	107
PID 4660 wrote to memory of 3156	4660	net.exe	107
PID 4660 wrote to memory of 3156	4660	net.exe	107
PID 4856 wrote to memory of 3316	4856	Logo1_.exe	57
PID 4856 wrote to memory of 3316	4856	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
  "C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a27E6.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
      "C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"
      4⤵
      Executes dropped EXE
      PID:260
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
f6f8adc981d6b6b2071ce614b521f5ab

SHA1
c9ad9978d768c8b12a6d804c2efdf102ae43f623

SHA256
7e2efe04f24526eadc605c6d3615e3ff716bd62c50934364a2ded32964a609f0

SHA512
d6622dcb15c51a16e4beeeb2ea32279c1ce01e96283d8ea044b56398c4f370f683d5133038e01b21b648a53288012ad51d050f11e69786ec5a7bf87134c1f54d

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
059ef6e04f985aaf0d22c25b51bbc471

SHA1
b44b466612846e2c775274e829d8bf2d10b4ef99

SHA256
200bf7ee3391889a79a022c060d1aa3280284be10b2242eb78a2ce132e5564e4

SHA512
fe4fa52728c9ddc2d54a6e3e5a98993d0d9698b58284622ff002db4c1b0a01713ad009bb5c82e428bf4037d155de33020899d3a3d4f937b38e91d42bebffd390

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a27E6.bat

Filesize
722B

MD5
3c30354a0e3d7d9bc398523f027a8b6f

SHA1
77bbaa678b22d62e78de359aafc392e076e9be26

SHA256
b8e030050a28d5ce97c41bce5ca1b47ba689808cd0288abf3cbc5f698746d2e8

SHA512
97daa12ce33ccf17d7cf725008f8604d9e33e4c48864791dc6188cc220e3a8bff0d5bf03114ea7422ef9319d92253ca086ce4b924904514dd455906179d888ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe.exe

Filesize
29KB

MD5
0cac659cc68e68ed44223ddb7343275a

SHA1
cb75dd7034e31eb575668f7c69b7d990653c0248

SHA256
7c32fe8ec1851e273763a2742a67a1f9c09a3725c9eaec76e22fcfc92dda7c88

SHA512
1c0c3b170bed3a3cbd7821dfa008e776df675f620afe85905f84f7d86b68b487206af0c6acf8207ae346b8ae7deb71a756128cb5c199bf648952d2c582aa9023

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1eb46052207e9bdf5c8cc6aa7dcccf89

SHA1
37ed03cd7c2ccade09093134c6a2b6099d450227

SHA256
db79ee7697ddc2795271dd97e4910c9343f58758e913ba19df70e7a481555cda

SHA512
f4b0fdfebbbc9fa25563f2da3d6171cde29306ff5ac5ac024c05da231b3150c11dd52021162ba8f13926f6defa611968628bd776b9f4f8660c995915b43c9eca

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
a7058e06d084fd947f7dddc2897ebb22

SHA1
400bcc9cc3cbab99b910b4696cc0163ba8713226

SHA256
da0976fbb0588170763cb9b0d9b3ce23b0ff3e7cc146ecf1840a40e7655f1287

SHA512
4921df984df8d792e9cde40d30fd19e315b2af1b034966c6fc397ef92e3cb25cfa258400758277e9ec01b5609f3041ba42c8e5911b79eff5a08843a91ad9c9c9

Download Submit
memory/3464-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-2399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-2570-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-4959-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-5967-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-8722-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-8816-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download