09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298

Analysis

max time kernel
191s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
Size

353KB
MD5

4520e4a0472fd6b07e1931365fec3300
SHA1

5e1689f8a24efac98d8572b9a1e2e65cb27eaab7
SHA256

09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298
SHA512

4fec7d879af4565fdc3b8e8a0f5c8f13001d0899d686fca3737c00e4a3767713b8d9d7ae10b832c3b88797f041690a1eae7ad8941e692c8aff359979622508ac
SSDEEP

6144:ziCQriwXLNxiJvrf/5Wvsi94B3/2AcZLhFmfrgy9gJzC:ziCQriwb2JDfBWvsC4BP2AcZNFmfkzC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1460	Logo1_.exe
1728	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
File created	C:\Windows\Logo1_.exe	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe
1460	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1728	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
1728	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4780	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	81
PID 4760 wrote to memory of 4780	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	81
PID 4760 wrote to memory of 4780	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	81
PID 4780 wrote to memory of 4028	4780	net.exe	83
PID 4780 wrote to memory of 4028	4780	net.exe	83
PID 4780 wrote to memory of 4028	4780	net.exe	83
PID 4760 wrote to memory of 1280	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	84
PID 4760 wrote to memory of 1280	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	84
PID 4760 wrote to memory of 1280	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	84
PID 4760 wrote to memory of 1460	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	86
PID 4760 wrote to memory of 1460	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	86
PID 4760 wrote to memory of 1460	4760	09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe	86
PID 1460 wrote to memory of 4300	1460	Logo1_.exe	87
PID 1460 wrote to memory of 4300	1460	Logo1_.exe	87
PID 1460 wrote to memory of 4300	1460	Logo1_.exe	87
PID 4300 wrote to memory of 3424	4300	net.exe	89
PID 4300 wrote to memory of 3424	4300	net.exe	89
PID 4300 wrote to memory of 3424	4300	net.exe	89
PID 1280 wrote to memory of 1728	1280	cmd.exe	90
PID 1280 wrote to memory of 1728	1280	cmd.exe	90
PID 1280 wrote to memory of 1728	1280	cmd.exe	90
PID 1460 wrote to memory of 4356	1460	Logo1_.exe	91
PID 1460 wrote to memory of 4356	1460	Logo1_.exe	91
PID 1460 wrote to memory of 4356	1460	Logo1_.exe	91
PID 4356 wrote to memory of 4724	4356	net.exe	93
PID 4356 wrote to memory of 4724	4356	net.exe	93
PID 4356 wrote to memory of 4724	4356	net.exe	93
PID 1460 wrote to memory of 2576	1460	Logo1_.exe	50
PID 1460 wrote to memory of 2576	1460	Logo1_.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
  "C:\Users\Admin\AppData\Local\Temp\09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a349D.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe
      "C:\Users\Admin\AppData\Local\Temp\09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1728
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3424
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a349D.bat

Filesize
722B

MD5
837ba5ee197bc6ac95e406e21cf58e87

SHA1
e02242fc4f8031f6ccdac4547af2bfb0264dc839

SHA256
59ba25478a4db6e43af365549b4c90386c99f9c527421cc9d0ed235b2371612f

SHA512
704b37cdfdf87bbbdda1b919fec8a94d3663cd2b9830e98672e9eabccc1f16dd76b2fb7fee72564810012263c89d9ac48a8f6e078122827d6f7757e64b547194

Download Submit
C:\Users\Admin\AppData\Local\Temp\09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe

Filesize
320KB

MD5
86d9b6ad25c5b50f8cf3db8210fbfcbf

SHA1
736a255ab7ea58c35d1786fa3a9ad066b792800f

SHA256
49d090390502743c497bfd74a80457844b074d7f800a6349c0e5e7611d1ea7d4

SHA512
f63246605bb825ef50b1ce6ce7a52d532cb00469beff4cee76ae5b19048db426cdbb1fafb5bd0175dfaffa3f50abf6c2597a79d23a05309fb43871e9c55f2ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\09213b632e799f6d5d50bdf88166e8fe3b7d024419ff8ade380086a18dae1298.exe.exe

Filesize
320KB

MD5
86d9b6ad25c5b50f8cf3db8210fbfcbf

SHA1
736a255ab7ea58c35d1786fa3a9ad066b792800f

SHA256
49d090390502743c497bfd74a80457844b074d7f800a6349c0e5e7611d1ea7d4

SHA512
f63246605bb825ef50b1ce6ce7a52d532cb00469beff4cee76ae5b19048db426cdbb1fafb5bd0175dfaffa3f50abf6c2597a79d23a05309fb43871e9c55f2ff2

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
891a86f2f307de6abcae000aabd83f13

SHA1
2bc9b16b22ce5abb73f7702b1111d24c8356f668

SHA256
3aed10c7fdf3985cec5522d57ac6945f32afad1cdf47131adddd5edabe120c99

SHA512
9b27dd2a3458d2d225d679d7ce9179f7a8e8c3df5a13ddf7d804a5c87900569d982402eebb89c9a3a0738fe75633cbd0562f358815a7f6183113023a29f9708b

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
891a86f2f307de6abcae000aabd83f13

SHA1
2bc9b16b22ce5abb73f7702b1111d24c8356f668

SHA256
3aed10c7fdf3985cec5522d57ac6945f32afad1cdf47131adddd5edabe120c99

SHA512
9b27dd2a3458d2d225d679d7ce9179f7a8e8c3df5a13ddf7d804a5c87900569d982402eebb89c9a3a0738fe75633cbd0562f358815a7f6183113023a29f9708b

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
891a86f2f307de6abcae000aabd83f13

SHA1
2bc9b16b22ce5abb73f7702b1111d24c8356f668

SHA256
3aed10c7fdf3985cec5522d57ac6945f32afad1cdf47131adddd5edabe120c99

SHA512
9b27dd2a3458d2d225d679d7ce9179f7a8e8c3df5a13ddf7d804a5c87900569d982402eebb89c9a3a0738fe75633cbd0562f358815a7f6183113023a29f9708b

Download Submit
memory/1460-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1460-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4760-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4760-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download