1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
Size

285KB
MD5

66446804f070ed82c3819c50e4b9599f
SHA1

b0d8a8d131fdcae99bd93e57871ab0c20451a34a
SHA256

1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d
SHA512

f4b16c64c2118fb74d1b78af91b1ce8e40e3f7d524cd593ab66a3ee7f57dad75923af0a4d43689e044f55226acf1bbfe360e997f46b3ae261adfe2ebfb787ce0
SSDEEP

6144:81NM5pfMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOaU:81upfMTi0uhMqe9ts2zWTpMmCG7W

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3776	Logo1_.exe
3200	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
File created	C:\Windows\Logo1_.exe	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe
3776	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 2276	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	83
PID 3092 wrote to memory of 2276	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	83
PID 3092 wrote to memory of 2276	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	83
PID 2276 wrote to memory of 3576	2276	net.exe	85
PID 2276 wrote to memory of 3576	2276	net.exe	85
PID 2276 wrote to memory of 3576	2276	net.exe	85
PID 3092 wrote to memory of 832	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	89
PID 3092 wrote to memory of 832	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	89
PID 3092 wrote to memory of 832	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	89
PID 3092 wrote to memory of 3776	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	90
PID 3092 wrote to memory of 3776	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	90
PID 3092 wrote to memory of 3776	3092	1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe	90
PID 3776 wrote to memory of 4692	3776	Logo1_.exe	92
PID 3776 wrote to memory of 4692	3776	Logo1_.exe	92
PID 3776 wrote to memory of 4692	3776	Logo1_.exe	92
PID 832 wrote to memory of 3200	832	cmd.exe	94
PID 832 wrote to memory of 3200	832	cmd.exe	94
PID 832 wrote to memory of 3200	832	cmd.exe	94
PID 4692 wrote to memory of 4884	4692	net.exe	95
PID 4692 wrote to memory of 4884	4692	net.exe	95
PID 4692 wrote to memory of 4884	4692	net.exe	95
PID 3776 wrote to memory of 760	3776	Logo1_.exe	97
PID 3776 wrote to memory of 760	3776	Logo1_.exe	97
PID 3776 wrote to memory of 760	3776	Logo1_.exe	97
PID 760 wrote to memory of 988	760	net.exe	99
PID 760 wrote to memory of 988	760	net.exe	99
PID 760 wrote to memory of 988	760	net.exe	99
PID 3776 wrote to memory of 3440	3776	Logo1_.exe	55
PID 3776 wrote to memory of 3440	3776	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
  "C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5023.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
      "C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe"
      4⤵
      Executes dropped EXE
      PID:3200
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4884
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
c9badcb684862f516b396d44b56baceb

SHA1
0d8eabcdc92e05177e46da3ea05ae2f41b01416c

SHA256
14c73a5bd721c24ebd8109d5d9a1e7dc8802c1bef0401cdd123ab41ae381c609

SHA512
543671893e74c261f12be887a10669dae034fcacad4998ae5282fe102aa4bcdcfa0776a9667f32f60fae93acdc5c2ad23f11ad330354295e9e44a67bc1dddb68

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
5aac7583510ebed6b8057afd1b55dfd3

SHA1
403d071ba18ca5251c300de07bf79219bba33e8c

SHA256
93a36984edc02b39685f692eb85eaf1cf3a02ce9767a2c4b5e38725e5e200adf

SHA512
e4ebe57faa33924f168d121a346b075e29b4fa018b5dadf7f55a322262730f76572e46c316e6429d8fbb3fd0b3443429e4dd34b4f0bc7fed3b4126f592a09899

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
ab26006fce082246aa3ffd6ff4cbcf89

SHA1
f8686e05d1aeb169e13c8d3889b01dd3988d5124

SHA256
a31829ad88d68b47eea131646207d5b3b53468a9bdd665365f608b6ce186b8ba

SHA512
0b7f2d8dab9c10a6619970c6e0568380d79951ec942f79bc035b8c93ebe8b23d925e42b62e22aaacce6ff981fbd719526aa797031b50a036e7e6f5aef0728df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5023.bat

Filesize
722B

MD5
4614176ea1d534d8f251fdbe48a8c4b9

SHA1
402c5cf1eb260399353653d069e7ebbb8bf14bea

SHA256
07ce8c9cc8facb25325d7f08a2e134ee2c3d540c52c1ab5fc8b17129e4d5a447

SHA512
420a407e27fd7887d99159856b71116c434f40c64c948b779d4a28087cff27f2d7c94b97dafd512e6b006bf1b473a7ccf009b529535ca847ca6a6e5c41dc321c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe.exe

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
7a091274be36971fce58dba0c887a23e

SHA1
1dcc358a109927e63e11775b0f38cca741f8d230

SHA256
308ea0a61b9625ffc055c1709dfa413e77ef4d9e01926435215044f6e9ab8757

SHA512
9497df8f2d42a38e831fc72c1c0f57f9a120afce4cf93b5b0c7f4462ee3f3fed722ad02733b6919879733fb06136e925a8ab6e62aaad63bce02b1a6fd6858607

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

Filesize
9B

MD5
4b2b75605a65a6762ec4715de0a70902

SHA1
3b85993ef06d2d814abc405188fdd19a1bffea0c

SHA256
77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

SHA512
888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

Download Submit
memory/3092-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3092-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3776-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3776-5180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3776-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3776-8648-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download