814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
Size

5.7MB
MD5

c34e10dee5409f323017af08a3adb3b0
SHA1

f69c0a1099d6e1c7df2d97022fbc374a9a234727
SHA256

814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9
SHA512

0d8edf87c7601368b9d25dda9be0b81152ec8db86b5fd9297f5b85fb32d107262a69860524316a9e316399d9e04bbc930543a57c2eb385beaced6f614eba52ea
SSDEEP

49152:sBBPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTP:s7KUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3376	Logo1_.exe
804	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
File created	C:\Windows\Logo1_.exe	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe
3376	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4476	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	84
PID 1116 wrote to memory of 4476	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	84
PID 1116 wrote to memory of 4476	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	84
PID 4476 wrote to memory of 3092	4476	net.exe	86
PID 4476 wrote to memory of 3092	4476	net.exe	86
PID 4476 wrote to memory of 3092	4476	net.exe	86
PID 1116 wrote to memory of 3396	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	90
PID 1116 wrote to memory of 3396	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	90
PID 1116 wrote to memory of 3396	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	90
PID 1116 wrote to memory of 3376	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	92
PID 1116 wrote to memory of 3376	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	92
PID 1116 wrote to memory of 3376	1116	814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe	92
PID 3376 wrote to memory of 2452	3376	Logo1_.exe	93
PID 3376 wrote to memory of 2452	3376	Logo1_.exe	93
PID 3376 wrote to memory of 2452	3376	Logo1_.exe	93
PID 2452 wrote to memory of 4304	2452	net.exe	95
PID 2452 wrote to memory of 4304	2452	net.exe	95
PID 2452 wrote to memory of 4304	2452	net.exe	95
PID 3376 wrote to memory of 3624	3376	Logo1_.exe	97
PID 3376 wrote to memory of 3624	3376	Logo1_.exe	97
PID 3376 wrote to memory of 3624	3376	Logo1_.exe	97
PID 3624 wrote to memory of 4828	3624	net.exe	99
PID 3624 wrote to memory of 4828	3624	net.exe	99
PID 3624 wrote to memory of 4828	3624	net.exe	99
PID 3376 wrote to memory of 3580	3376	Logo1_.exe	56
PID 3376 wrote to memory of 3580	3376	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
  "C:\Users\Admin\AppData\Local\Temp\814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a395F.bat
    3⤵
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe
      "C:\Users\Admin\AppData\Local\Temp\814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe"
      4⤵
      Executes dropped EXE
      PID:804
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4304
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
06f1ac7e5eca279d686c8c6879114d47

SHA1
302f372dcd49ef075ed0767352b5c653d3e07379

SHA256
23f76914424d79a927c49c4627a36f2bc4a5fef1d7b2ce3fe90acae5daf86360

SHA512
8083af35fc27effd0e63f1a06d4b9a91c2da42cae671b25f2f283fb06b2c08c5a6b82744b8098b5ffce60971b430f9b1a15f4a335138fd0ddae1ce25ce12128e

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
482a73e91b0d994114ceb6e8e1c6709e

SHA1
921ba9e891d6451017854225fe3ad646e6fb1bbf

SHA256
5960ed0b6779000f4ce9209325bedc4962cf04c31927eca1f51d0923e37522f8

SHA512
73a05a5aaca7a3bf22ca1d522a793a857deb16db761838c77fc6cd1a10e5862d2270165198fdf2a2249bc4324507b89c9e2205e69275005a0e2c42572d79a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a395F.bat

Filesize
722B

MD5
6c86abeb8fd1cd3e9414794dc0b4598b

SHA1
6814f34c7b4bde2e915531ff6a97a7030d1ed08f

SHA256
4c25deee13fa23a66a8c85f432a3ba25bca4f030bbf958624743c53fb39c4089

SHA512
153c369bc52a9d9e41a027ca195bcd2eae6ecf8694c7ed5e591ab129b2a32c12b1278b512ea6f66ef0f9ed4e7af7e60590691dc0e180f6db7147252ef2e76142

Download Submit
C:\Users\Admin\AppData\Local\Temp\814f3b407e405fa49141fce100527e3f507c8f2151eade1811474dedb51e7fc9.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
f4768631d279965f7060d71d3b9c858f

SHA1
2bccced94b3cc81ae22931489a3c8b57c2a6f8df

SHA256
c025ab0b3651689d4a9d3e4d8a428b219c887d9ca72532962b812bf4c091beaa

SHA512
bc8aabea17286c99265055794fad2831ab11d012d6835a9a2e6974722346c95a300a9610ee704c9b531b29680fdae19bdd1d0e60c889a7c2e2723779b88da891

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini

Filesize
9B

MD5
a4e284afce5c2e93b509543e6064da82

SHA1
77a7ae3e38b05410dcf335f8abe1df4d7f0b141c

SHA256
f4460d1a85b2980fa2b8d329adda0fd330f8157d7afc2d7b1bad62453ff1dfe8

SHA512
8f2147ca54c96b0b05bf69a7919b5bf54b20036ba8336f6ba379c2abb0d31139a91d315130040ef1d06450dd624d8a8661396eb082407b8f7455be4d61351821

Download Submit
memory/1116-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1116-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3376-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3376-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3376-5307-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3376-8701-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download