2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
Size

48KB
MD5

6fc37977d8f16b68a96adbcadf3ff130
SHA1

df71e76d6200f4bce479202baf151cf356b74470
SHA256

2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870
SHA512

59d1b5662ce178a7385fef748cc285489d18962795f326c64efb77fe76841e54883974a6f617f7b8d92978bd45bce3b2777191da84ee4ae49eb007c37e1f7aea
SSDEEP

768:2tXuRZa+Vxr1x5cE9Fl5pz8w1rU9hFInlI1LqYJUukGdKETL4Ibq:2tXuRksrz8GvnG1hXRTlq

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1232	Logo1_.exe
4736	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
File created	C:\Windows\Logo1_.exe	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe
1232	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1328	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	82
PID 4740 wrote to memory of 1328	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	82
PID 4740 wrote to memory of 1328	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	82
PID 1328 wrote to memory of 4340	1328	net.exe	84
PID 1328 wrote to memory of 4340	1328	net.exe	84
PID 1328 wrote to memory of 4340	1328	net.exe	84
PID 4740 wrote to memory of 4100	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	86
PID 4740 wrote to memory of 4100	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	86
PID 4740 wrote to memory of 4100	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	86
PID 4740 wrote to memory of 1232	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	88
PID 4740 wrote to memory of 1232	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	88
PID 4740 wrote to memory of 1232	4740	2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe	88
PID 1232 wrote to memory of 3572	1232	Logo1_.exe	89
PID 1232 wrote to memory of 3572	1232	Logo1_.exe	89
PID 1232 wrote to memory of 3572	1232	Logo1_.exe	89
PID 3572 wrote to memory of 4828	3572	net.exe	91
PID 3572 wrote to memory of 4828	3572	net.exe	91
PID 3572 wrote to memory of 4828	3572	net.exe	91
PID 4100 wrote to memory of 4736	4100	cmd.exe	92
PID 4100 wrote to memory of 4736	4100	cmd.exe	92
PID 4100 wrote to memory of 4736	4100	cmd.exe	92
PID 1232 wrote to memory of 1568	1232	Logo1_.exe	95
PID 1232 wrote to memory of 1568	1232	Logo1_.exe	95
PID 1232 wrote to memory of 1568	1232	Logo1_.exe	95
PID 1568 wrote to memory of 2788	1568	net.exe	97
PID 1568 wrote to memory of 2788	1568	net.exe	97
PID 1568 wrote to memory of 2788	1568	net.exe	97
PID 1232 wrote to memory of 3128	1232	Logo1_.exe	70
PID 1232 wrote to memory of 3128	1232	Logo1_.exe	70

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
  "C:\Users\Admin\AppData\Local\Temp\2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a800D.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe
      "C:\Users\Admin\AppData\Local\Temp\2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe"
      4⤵
      Executes dropped EXE
      PID:4736
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4828
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
f38a5d409fad5fef8b0a2ccf71837ee2

SHA1
7a234891f91c8043e86afe9141a4ebb4f99eac1c

SHA256
1365498a31e7691222e0a6cfa28e15c6734b3b9630ba4f0820ccc6cfd654fc4b

SHA512
5e5640512dc13adf12717ed8accc510b738c076b418bc3d58920a5d49ac89936121124ab4aebd10f493c836b0f7657740708d5bae9fd22f5a7432adde57b1b58

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
ba26b564ef3cacce32fe09efba54d138

SHA1
eb1fef21937541a73d3b7a00d9684c76b97049d9

SHA256
fdf9f6d004e77f0cc676abf33a6f6f0887d5163aa0cdd9087e5f16df10a94ad2

SHA512
9414adb13a45d140b01c1cd35e793c28fef4b37bc0e28b5da9ee090761db7d0dd199a3a7e37970e09d29348cd20d97ec6fdbd0f92508290e58b349fc59d45ddf

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
b10dd190226eddfd063390b1bacadba5

SHA1
91415d7c037c419649f28be50f33f7cea8c2c1c3

SHA256
aeafcb5b19bbc0d61d0bcc5ee2dca7f885e116833384df9f8edee4975021396b

SHA512
db6857aca5fd32f41021c2889aba0571ae4046cb896a4ae470a6cb94dd557222172d70782e2537baaed16491c593c6a065d569b87dd891f8c69f0e5e3eba1bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a800D.bat

Filesize
722B

MD5
6b518a0bd55cb53b89c1ceaf5b15efc3

SHA1
b1cd018f2fcba7c521e0569ab861669c314ae4e8

SHA256
52a6129b7067d2606f5fb9cf232a084c90e12046efa25d87eeca88b6815e67eb

SHA512
999419b618372e8052bd54a273ecb210a198cd8b73981f741c9582cba2fa15d6dcf73d6478ae16872a9dcd044719345d06e8398949a145b659fd024517a49c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe

Filesize
14KB

MD5
dc6311fbfd49f41fbf35860a30e68355

SHA1
b08b15be412e843acaf7ad5e6df0ef1e8bdb465c

SHA256
ffdf81680522029c2eb578a9f442fd9692900a5c782c711e35203fb2d25620ba

SHA512
5e2938f5a8396154928a7d093db3843d73497cea4f49c0f1b77e3aac6e29d1db7f0ad4518587c336f0dfccb67ff33aac8e12afa70503504c5d8d46d12a86e453

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abcb4da5f21be10cabca7a2c6598fd84023f71dde84aa20a242f5ab074ec870.exe.exe

Filesize
14KB

MD5
dc6311fbfd49f41fbf35860a30e68355

SHA1
b08b15be412e843acaf7ad5e6df0ef1e8bdb465c

SHA256
ffdf81680522029c2eb578a9f442fd9692900a5c782c711e35203fb2d25620ba

SHA512
5e2938f5a8396154928a7d093db3843d73497cea4f49c0f1b77e3aac6e29d1db7f0ad4518587c336f0dfccb67ff33aac8e12afa70503504c5d8d46d12a86e453

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
662bb334e5c14da91d5c32a823f99036

SHA1
a468d80c82a0a10df9a1c0bd632137d0589717d6

SHA256
9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

SHA512
d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
662bb334e5c14da91d5c32a823f99036

SHA1
a468d80c82a0a10df9a1c0bd632137d0589717d6

SHA256
9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

SHA512
d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
662bb334e5c14da91d5c32a823f99036

SHA1
a468d80c82a0a10df9a1c0bd632137d0589717d6

SHA256
9eb682d1be68cf22939602275f743f8b276889d83a567dc2e3324bf6f291bb16

SHA512
d6a86f1b0b1c6247de411749b61d5fc3d4ba2d543f9c58153e3bb0f248b7cc9c70edf03af15d8af310e3d7cf26bab7fce5859dc6e739759d79ce0a895571b856

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1043950675-1972537973-2972532878-1000\_desktop.ini

Filesize
9B

MD5
9cf07741f0217a1c9b3d7efb195e326c

SHA1
1a3d9c17ea97cc6da370a7d9db4ba27dfac95967

SHA256
ffe1314ca6ae8d1ddea45361e73d0d8155ec1f97d389fe164934f126de5cf659

SHA512
48cec431954f6b7e29e356854a86f1253e622a968302ea2b6d021fb3788e98957e77f22a8d47866b79392ffda1ed0d8d42182a277c28ac7b98d36ad4153f0f25

Download Submit
memory/1232-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-1752-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-5250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-8814-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download