694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
Size

178KB
MD5

e9cdf2209cc3d95e7a141b0b80844cf7
SHA1

88871f53f6391ddee0fe2b8996ed25849105e3d3
SHA256

694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e
SHA512

62fa554c6b4862be18346ce77f91f9b838baf3cb57043ec81b80f7b152e8eba9113927e76ca2375ac7b15a83cc8a216c0d90889d1e80b878ae78b8878b3565a7
SSDEEP

3072:47e+aX3tM6gT9ov1Gny0is1iygSw01IZ1ymklBF5TjZqMNl:3+aX3u6gT9ocR3gSZ1IZ1yjrvl

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
944	Logo1_.exe
332	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\EBWebView\x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\win11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\cookie_exporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe
944	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4356	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	94
PID 1704 wrote to memory of 4356	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	94
PID 1704 wrote to memory of 4356	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	94
PID 4356 wrote to memory of 932	4356	net.exe	96
PID 4356 wrote to memory of 932	4356	net.exe	96
PID 4356 wrote to memory of 932	4356	net.exe	96
PID 1704 wrote to memory of 688	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	98
PID 1704 wrote to memory of 688	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	98
PID 1704 wrote to memory of 688	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	98
PID 1704 wrote to memory of 944	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	99
PID 1704 wrote to memory of 944	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	99
PID 1704 wrote to memory of 944	1704	694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe	99
PID 944 wrote to memory of 692	944	Logo1_.exe	100
PID 944 wrote to memory of 692	944	Logo1_.exe	100
PID 944 wrote to memory of 692	944	Logo1_.exe	100
PID 692 wrote to memory of 4396	692	net.exe	103
PID 692 wrote to memory of 4396	692	net.exe	103
PID 692 wrote to memory of 4396	692	net.exe	103
PID 688 wrote to memory of 332	688	cmd.exe	104
PID 688 wrote to memory of 332	688	cmd.exe	104
PID 688 wrote to memory of 332	688	cmd.exe	104
PID 944 wrote to memory of 2428	944	Logo1_.exe	106
PID 944 wrote to memory of 2428	944	Logo1_.exe	106
PID 944 wrote to memory of 2428	944	Logo1_.exe	106
PID 2428 wrote to memory of 2936	2428	net.exe	108
PID 2428 wrote to memory of 2936	2428	net.exe	108
PID 2428 wrote to memory of 2936	2428	net.exe	108
PID 944 wrote to memory of 3376	944	Logo1_.exe	56
PID 944 wrote to memory of 3376	944	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
  "C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6050.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe
      "C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe"
      4⤵
      Executes dropped EXE
      PID:332
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4396
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
6329333b400828394f1806aa1670367f

SHA1
59e41436c41f1dd6cd8242df2cbeaf04e7b864a6

SHA256
fa69d50d5373451478641062a25ee6d509247d2ee18f2505c54048695f2363b9

SHA512
6fc5cd02230ee989d00c67356080affb387a36600d96ef6666c15a90d914964c8780a198d63831a570a04d850fbe87b7567866940cf4affb3cf1458053fb870d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
e1bf3d44ffe8e2ee2d0c163d7fb160fa

SHA1
3a71863458cef4e66115a984aee8939ba93afd3e

SHA256
0c8645e63ab04c309bab5a2a7cf2c394a6bd393a913a6501520920f311713fee

SHA512
7a1d0643d9a323bc286f860fab36d3f3caf92b44313de7aeec3a45ac6422646b12e811d9dbaf755f445d1fa11eb691fcf04bcb1dd4b02a9550c2058c6dd578ef

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
059ef6e04f985aaf0d22c25b51bbc471

SHA1
b44b466612846e2c775274e829d8bf2d10b4ef99

SHA256
200bf7ee3391889a79a022c060d1aa3280284be10b2242eb78a2ce132e5564e4

SHA512
fe4fa52728c9ddc2d54a6e3e5a98993d0d9698b58284622ff002db4c1b0a01713ad009bb5c82e428bf4037d155de33020899d3a3d4f937b38e91d42bebffd390

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6050.bat

Filesize
722B

MD5
3a66a051d975013eb9f4362debfbe55e

SHA1
e5511412c40bfc2f17222c2aebd4fa4009db9105

SHA256
f4e0f5fff97d44efbee3be43ed37ffe1848f39f0f2a92eeb773ac9bd83b11089

SHA512
e4d5718cbef248847f97d6b05136557a08bd9265fadf171c97290b74320f060c344a1f5158a0b88af411941ee0632de973cf1e9635afb5f7cda88fa6e2109d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\694739d5ed9cce5e8483fa5fef800cf180a829d5e5c497d439bcd119cd63676e.exe.exe

Filesize
145KB

MD5
f0003bbe2ddbc6a86bcd8bb3e59a459e

SHA1
72a13c7a33c9262cc60037aeaf120f54a21cdeb6

SHA256
6b3875c773db867834fe34c0efe43263908cfd264b77336f4c99977927650914

SHA512
7603900304bfd5f31e6165554a30d2dcbaa62d2d60debf55e9e7fb4c8c3d9f86a78725beb435ff9c85bd57562d538d527645cbe5dfbcb73efa9b2c5e600ab7a7

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
8d5b24a731c86a9a1d648e167662785c

SHA1
88ad95a57fa097fde78785d2166b2e601704455f

SHA256
7bbf74b55580006eac528539f928998942ff4038dcca81adc29c3ea2b47f0d98

SHA512
d603a5e3a80c2a66d79316561673f0f704ac15a7afb7df24356af7e75f06a94e295ffff449da7ac3fd1ce642fcc2a289e2eecefc0895065c7e6d31016dd03755

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\_desktop.ini

Filesize
9B

MD5
a7058e06d084fd947f7dddc2897ebb22

SHA1
400bcc9cc3cbab99b910b4696cc0163ba8713226

SHA256
da0976fbb0588170763cb9b0d9b3ce23b0ff3e7cc146ecf1840a40e7655f1287

SHA512
4921df984df8d792e9cde40d30fd19e315b2af1b034966c6fc397ef92e3cb25cfa258400758277e9ec01b5609f3041ba42c8e5911b79eff5a08843a91ad9c9c9

Download Submit
memory/944-37-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-778-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-2457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-2473-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-5240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-8602-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/944-9009-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download