2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
Size

70KB
MD5

2b5c3664f6e4ce63bf2ad9fc0430ec37
SHA1

72c7d50f70fd2ca23265c042dbefcc382693baaf
SHA256

2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047
SHA512

259d057c352888e6b5135b9015e940ede8911666a93224a891ee98b60c8e905b4bb6cebdb7111883dffd7e36c399b60e9d175d3c2e180e12a6ca824b243d0278
SSDEEP

1536:Qh1oRJbj/e+Zk77RNCLp44x6eriw+d9bHrkT5gUHz7FxtJ:QCe+aX3t4xrBkfkT5xHzD

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4560	Logo1_.exe
3832	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
File created	C:\Windows\Logo1_.exe	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe
4560	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4672	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	91
PID 1260 wrote to memory of 4672	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	91
PID 1260 wrote to memory of 4672	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	91
PID 4672 wrote to memory of 2872	4672	net.exe	93
PID 4672 wrote to memory of 2872	4672	net.exe	93
PID 4672 wrote to memory of 2872	4672	net.exe	93
PID 1260 wrote to memory of 1468	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	94
PID 1260 wrote to memory of 1468	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	94
PID 1260 wrote to memory of 1468	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	94
PID 1260 wrote to memory of 4560	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	96
PID 1260 wrote to memory of 4560	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	96
PID 1260 wrote to memory of 4560	1260	2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe	96
PID 4560 wrote to memory of 2540	4560	Logo1_.exe	97
PID 4560 wrote to memory of 2540	4560	Logo1_.exe	97
PID 4560 wrote to memory of 2540	4560	Logo1_.exe	97
PID 2540 wrote to memory of 3912	2540	net.exe	99
PID 2540 wrote to memory of 3912	2540	net.exe	99
PID 2540 wrote to memory of 3912	2540	net.exe	99
PID 1468 wrote to memory of 3832	1468	cmd.exe	100
PID 1468 wrote to memory of 3832	1468	cmd.exe	100
PID 4560 wrote to memory of 2980	4560	Logo1_.exe	101
PID 4560 wrote to memory of 2980	4560	Logo1_.exe	101
PID 4560 wrote to memory of 2980	4560	Logo1_.exe	101
PID 2980 wrote to memory of 4084	2980	net.exe	103
PID 2980 wrote to memory of 4084	2980	net.exe	103
PID 2980 wrote to memory of 4084	2980	net.exe	103
PID 4560 wrote to memory of 3332	4560	Logo1_.exe	56
PID 4560 wrote to memory of 3332	4560	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
  "C:\Users\Admin\AppData\Local\Temp\2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a33CD.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe
      "C:\Users\Admin\AppData\Local\Temp\2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe"
      4⤵
      Executes dropped EXE
      PID:3832
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3912
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
9ac10f2289f81d00cb5315e30a25967d

SHA1
43f3ec8b12b8ef26c5e0151a50e708edd8a3e979

SHA256
a978211529b28a3b66408c32636b82ef4405121d57e90a911c60f3810be3c0cc

SHA512
211d2c4d98509e4b0df64c0b31331431486886ae40c106ca1af496a2573fcfce3737d3574f6f41e39b02cf35b67859c14e46d58b30cf59062f8b68ec76dc1a77

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
9b73ea744610add358a523c48b536d6d

SHA1
38d35606d7b18b9f9ec4e4bfac20b523ecc1ed88

SHA256
02cff7e352a7c94505a1d1c73425ec9968637b9010c8c017dc70f7d6a78a3a45

SHA512
aa6b8405c175a2cf9be163d8f282894498f2e8ddffde0caa59c0ad2b357582fd21454f1b742d2169e1d326576e08ed8869de861f549cc0fd8c1e4c42fbe6b3eb

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
85b76d0e0da4b34c0acc7abcd83d7150

SHA1
3c361c827353e87281950c2baef4ed7a24eee844

SHA256
a2beda607517ea941d193ff76cd746ba01dd55a62725874c59e93776cf3f3f53

SHA512
407a41a1fd8a4e24dbddbc624a50a94d101c541e9d73e5db4b1fa68fd2915c1cb92f6444fa8416429134b88610de31be620eaacda2b9a96e76182ca2323c3644

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a33CD.bat

Filesize
722B

MD5
edd925e7b3243ebd294efafa1a66da13

SHA1
e914d4a7394cbf4363f84c6563d59d3b4518c2dd

SHA256
af017f6031e24feb8430bcbd07200ce52548123b56c068714aac7ca7b451714f

SHA512
d45199cdeac9c99f8b97ec2d4094682a48d85a74c978b08fdd96a24a7a905338a7fd80c34ed911bbc64b4473d9b58ec8b33ee2af31c6804268f6038a48aa833b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2302d4d189f215b96c37cfe141b2e3130fb63fd060a04910950cff4b1549a047.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
beaa56a0e4764dd95329202a0a92e326

SHA1
1e18f4051244e4aa8eabbddc7001ffcdc2adc055

SHA256
02424a4ca6ac65d66c89b79493d30a0c54c46da6ec225ef5ae1c724913451a08

SHA512
fc65d6da1e1f112abbb37c5227823980d644b6436cec5d44a75de9e97ba9e709010fc6edb064c592ce931412612010c7254bc5eb6c4aec004510786525276e25

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1260-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1260-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-1723-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-2726-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-5506-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-7651-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-8818-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download