a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 18:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
Size

59KB
MD5

d2a536bbe5e4335f5737b50fd1e7a258
SHA1

1cae970c4d41b623051846ea86197030724c323b
SHA256

a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2
SHA512

03123650f8d55772a4aa66762e5973f51a1a1817fcf0aad60d5318603bfb4db16698a37c83555beea8edb23fed4a678289c5ad6a7fdd550dc5731f6fc167e040
SSDEEP

768:mYBzh+Vxr1x5cE9Fl5pz8UOutDlMXaoSunjXWNNyvo7TnIuSjvgkGOxJVqL4IbM:/BNsrz8VuJlMXaDuiNQvOnl6vAOxJ0lM

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
468	Logo1_.exe
4752	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
File created	C:\Windows\Logo1_.exe	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe
468	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3196	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	82
PID 1316 wrote to memory of 3196	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	82
PID 1316 wrote to memory of 3196	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	82
PID 3196 wrote to memory of 880	3196	net.exe	84
PID 3196 wrote to memory of 880	3196	net.exe	84
PID 3196 wrote to memory of 880	3196	net.exe	84
PID 1316 wrote to memory of 1560	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	88
PID 1316 wrote to memory of 1560	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	88
PID 1316 wrote to memory of 1560	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	88
PID 1316 wrote to memory of 468	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	90
PID 1316 wrote to memory of 468	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	90
PID 1316 wrote to memory of 468	1316	a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe	90
PID 468 wrote to memory of 4176	468	Logo1_.exe	91
PID 468 wrote to memory of 4176	468	Logo1_.exe	91
PID 468 wrote to memory of 4176	468	Logo1_.exe	91
PID 1560 wrote to memory of 4752	1560	cmd.exe	93
PID 1560 wrote to memory of 4752	1560	cmd.exe	93
PID 1560 wrote to memory of 4752	1560	cmd.exe	93
PID 4176 wrote to memory of 540	4176	net.exe	94
PID 4176 wrote to memory of 540	4176	net.exe	94
PID 4176 wrote to memory of 540	4176	net.exe	94
PID 468 wrote to memory of 3676	468	Logo1_.exe	96
PID 468 wrote to memory of 3676	468	Logo1_.exe	96
PID 468 wrote to memory of 3676	468	Logo1_.exe	96
PID 3676 wrote to memory of 1432	3676	net.exe	98
PID 3676 wrote to memory of 1432	3676	net.exe	98
PID 3676 wrote to memory of 1432	3676	net.exe	98
PID 468 wrote to memory of 3448	468	Logo1_.exe	56
PID 468 wrote to memory of 3448	468	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
  "C:\Users\Admin\AppData\Local\Temp\a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43DF.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe
      "C:\Users\Admin\AppData\Local\Temp\a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe"
      4⤵
      Executes dropped EXE
      PID:4752
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:540
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
5d64188818f8abcb73f41c0b3c33441b

SHA1
30eb087973f856bdc3aca96d9b6038a55f866b2c

SHA256
30cf4b58ecca3bb3fe81f3829d12e56bd12143ed52b0c55f6d6a11792003278e

SHA512
7a807a62543517c2f637803a7d5b43af5d7df66591a195aa2f254464bfb63adf20bf4a0908fef74c1b7aff5ca0a9d0e1129e657347d3b6dd24df53e6e122c6fe

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
11e0853d537d2721ecc655c1fc527e91

SHA1
c8e23d103e93073ba7c93374878ae9a9f926c944

SHA256
f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

SHA512
3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a43DF.bat

Filesize
722B

MD5
fbdbd7d23ed613ec7fb71b898906731a

SHA1
1ba10be3700fd56402328f31cbba0886c3933350

SHA256
2f84c4dc8f7456b7cf0ecd0bf96e5b88a08ba78cb4574fd7e6bcaa146dfbd964

SHA512
c975fec3a9d5069f1f7196f0d5ed13e0476a169de7030cd8fac06dc342ef59399b8cf1f1ea807a79990146b12b31b3645158b7a12e7a6a7f53e6ca60fda7eaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d526d265b197c8ecf5979bfad3775e81913bb4c2f0914f869c7191fa1255f2.exe.exe

Filesize
25KB

MD5
6ff84be315cfafbbdf36aa01af8389e7

SHA1
2c550a4059ac331f5f5c9d3f218e0f6184aa27c9

SHA256
47c67c1c88ceaee3cf1667bf956a3e11a84dea2f7c2afc634777aa5f1bf65c76

SHA512
72498b009573a9cc9b5554e61d56b68f273682bfa2e13808f4abd5b2171aa59dd4a64bd9f68a3a416cfaceacb0041df918d8a84f28a5fa7f204fc562c5b6b174

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d208b34bbac286d49a77081b20a5c951

SHA1
94341f108285312afa4cd4d6458804358b88e322

SHA256
6d3b364072ac79af423a6fa1252424274b51e8c18a113e8f54e7d8a9413ae33a

SHA512
e42039b533ec80a0b591bd6a4877c8c993eefdd7323a6fbb2d58b75188f085365c8f927f7079917fa18363f505f9ec400c0536f236248ca2809941dcd408aab0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

Filesize
9B

MD5
03c36dbecb7f35761f80ba5fc5566da6

SHA1
159b7733006187467bda251a1bbb278c141dceb6

SHA256
85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b

SHA512
fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

Download Submit
memory/468-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-5220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-8684-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download