765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
Size

694KB
MD5

15edb5f3d8dc8b4bb3560bd7a9b3eff6
SHA1

35ee09a607af1e28015862df58d890eef9bcd27e
SHA256

765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e
SHA512

e5c85752efba5f785f67a5b7c406233a2c3a5fff22903068c2c85a4596de1080f84f40bc58c2aef13de7fe4419e2aa8ebed5ee4ca5617575caf56823920a8b19
SSDEEP

12288:/PzJgrpXt3hcorRSJwGHuwbwDdlELUDyoagA0rtmmrBE:/PzJgrVtxcolSJwGHuOud6L9fN0pmr

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3216	Logo1_.exe
2936	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Integration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
File created	C:\Windows\Logo1_.exe	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe
3216	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2644	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	81
PID 3228 wrote to memory of 2644	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	81
PID 3228 wrote to memory of 2644	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	81
PID 2644 wrote to memory of 2932	2644	net.exe	83
PID 2644 wrote to memory of 2932	2644	net.exe	83
PID 2644 wrote to memory of 2932	2644	net.exe	83
PID 3228 wrote to memory of 4120	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	84
PID 3228 wrote to memory of 4120	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	84
PID 3228 wrote to memory of 4120	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	84
PID 3228 wrote to memory of 3216	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	86
PID 3228 wrote to memory of 3216	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	86
PID 3228 wrote to memory of 3216	3228	765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe	86
PID 3216 wrote to memory of 392	3216	Logo1_.exe	87
PID 3216 wrote to memory of 392	3216	Logo1_.exe	87
PID 3216 wrote to memory of 392	3216	Logo1_.exe	87
PID 392 wrote to memory of 4904	392	net.exe	89
PID 392 wrote to memory of 4904	392	net.exe	89
PID 392 wrote to memory of 4904	392	net.exe	89
PID 4120 wrote to memory of 2936	4120	cmd.exe	90
PID 4120 wrote to memory of 2936	4120	cmd.exe	90
PID 4120 wrote to memory of 2936	4120	cmd.exe	90
PID 3216 wrote to memory of 4088	3216	Logo1_.exe	91
PID 3216 wrote to memory of 4088	3216	Logo1_.exe	91
PID 3216 wrote to memory of 4088	3216	Logo1_.exe	91
PID 4088 wrote to memory of 1208	4088	net.exe	93
PID 4088 wrote to memory of 1208	4088	net.exe	93
PID 4088 wrote to memory of 1208	4088	net.exe	93
PID 3216 wrote to memory of 3516	3216	Logo1_.exe	56
PID 3216 wrote to memory of 3516	3216	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
  "C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A3A.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe
      "C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe"
      4⤵
      Executes dropped EXE
      PID:2936
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4904
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
02569885e9369db7f7e10caf1b50ba83

SHA1
10a6f75e80a9f81aa4c6143a31eb419ff252c667

SHA256
f9fbd769b3a8bcc2a77241fa76adb574009dd443f0ebe5913450e2e9f21d87da

SHA512
d18ea18d470cde35ac5f775b8f51d9d0bbaeea64312a30ea4ed7261174cdc3c8ac60e8f205004bcac90c937fa732851d3f5bdf5dde3417b624f1ee24e87640c3

Download Submit
C:\Program Files\SelectConfirm.exe

Filesize
1.3MB

MD5
d44142e9df71aefb28b6a235116913c2

SHA1
d2005d60ac1e92524299b755ccd0a5204dcf68ce

SHA256
18070e4c44b70a43f26081cab0e918cdddf95e4ce0c2b3a4607aca950c18dc7d

SHA512
39ec90e0e5bb22749f056bc8386b0c72a6b2b7afcb48635e6f72adab46bbc31998b5f00f6ca66acb91d09164225b9097dd7805d73d60027843ae462be8045a5b

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
11e0853d537d2721ecc655c1fc527e91

SHA1
c8e23d103e93073ba7c93374878ae9a9f926c944

SHA256
f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

SHA512
3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3A3A.bat

Filesize
722B

MD5
050e76e18ace295ab4212df70bd94d11

SHA1
6f26d6f335fc5308071379e9e023f5ff0aa1b391

SHA256
bc465dabce1b20f9d5eecfe955dac2845580cb6bafc8355ea4f04e76a059d052

SHA512
8731d000e748e87dc8b0082b1e17b8d3f6fd7be18d3eee4bdecc5a786ecc4dfc6c9dea21b1c55d0e94a0de387315bd6c056b86d4235489ac845ba4e02f62ce35

Download Submit
C:\Users\Admin\AppData\Local\Temp\765588f23c201b5815b8f79dc9944827876ce28d8ca4bf60d4c687c2a31b8d8e.exe.exe

Filesize
661KB

MD5
1ccc2c9ae08b2b36660deac77dfbcfb7

SHA1
1a3e671eb5140104a4c9b056299af6a696e134ca

SHA256
98218f68e5674d99bcdbf3c9e1c4786e7cf1433fb27a4c4e0108894fb5acd0ec

SHA512
c212849356f531811a30bc97e212734ee34cef809a5dc40f72991bcd24fa9b23db623c553b3a9358782d42665f296f2d4f980149c9e23b4915b191f76723eea5

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
e88b528305eba2eaa41bd67d5be2f3e9

SHA1
46ab8f327b9ad592d6b6e2786ff0c5a5735acbfb

SHA256
8549f3ecbe5d5d917c87472123a8ffc41b19b52c94b1fbc7089a971436dfe5ae

SHA512
8437f856ced59ed9edb400139bcc5bb083164c52fd843d058d94bd40243b3314af75e3fd18380708561a00a80c7160153a40e768c493f08ea4afc102357252e7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini

Filesize
9B

MD5
e850d9ceb7ebcc619d731dc2f1377b2b

SHA1
a45553c9057075c02e28f90d5e8ea57a0dddbacc

SHA256
b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

SHA512
be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

Download Submit
memory/3216-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-5211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-8668-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download