0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
Size

130KB
MD5

dc884d7d730a9a1ee931438f0b388560
SHA1

a2a7f10b90622ccf2bfc5549078af3f6bf6a19c8
SHA256

0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d
SHA512

519c3e17ac7118d96f9c827159c507c8e52cdfe27ff90508aaf29cb8868d6b7df74a1170450e2c37e42bbd32d27017b2348f982af561a53197d8bf01478e497d
SSDEEP

3072:VYuIHFe+aX3yQf8zevgmJAIlwPxX/ZWOFrb:BI4+aX3ghvI+PxBWOFn

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	Logo1_.exe
5048	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{909D64B7-C23F-485D-95DB-54E004EAC8CD}.catalogItem	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E91234BF-0481-433E-AC47-10D694C87460\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
File created	C:\Windows\Logo1_.exe	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5048	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
5048	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2592	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	85
PID 3864 wrote to memory of 2592	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	85
PID 3864 wrote to memory of 2592	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	85
PID 2592 wrote to memory of 1692	2592	net.exe	87
PID 2592 wrote to memory of 1692	2592	net.exe	87
PID 2592 wrote to memory of 1692	2592	net.exe	87
PID 3864 wrote to memory of 1324	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	88
PID 3864 wrote to memory of 1324	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	88
PID 3864 wrote to memory of 1324	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	88
PID 3864 wrote to memory of 2240	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	91
PID 3864 wrote to memory of 2240	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	91
PID 3864 wrote to memory of 2240	3864	0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe	91
PID 2240 wrote to memory of 4696	2240	Logo1_.exe	92
PID 2240 wrote to memory of 4696	2240	Logo1_.exe	92
PID 2240 wrote to memory of 4696	2240	Logo1_.exe	92
PID 2240 wrote to memory of 1076	2240	Logo1_.exe	94
PID 2240 wrote to memory of 1076	2240	Logo1_.exe	94
PID 2240 wrote to memory of 1076	2240	Logo1_.exe	94
PID 4696 wrote to memory of 4368	4696	net.exe	96
PID 4696 wrote to memory of 4368	4696	net.exe	96
PID 4696 wrote to memory of 4368	4696	net.exe	96
PID 1076 wrote to memory of 3288	1076	net.exe	97
PID 1076 wrote to memory of 3288	1076	net.exe	97
PID 1076 wrote to memory of 3288	1076	net.exe	97
PID 1324 wrote to memory of 5048	1324	cmd.exe	98
PID 1324 wrote to memory of 5048	1324	cmd.exe	98
PID 1324 wrote to memory of 5048	1324	cmd.exe	98
PID 2240 wrote to memory of 3172	2240	Logo1_.exe	45
PID 2240 wrote to memory of 3172	2240	Logo1_.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Temp\0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
  "C:\Users\Admin\AppData\Local\Temp\0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1D47.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe
      "C:\Users\Admin\AppData\Local\Temp\0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5048
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
867140655369703de1d7684659b73119

SHA1
a7a0716dbc9cb0a32469ba9c7e295d80bf268a83

SHA256
bca1c6682f0a0557d68eb653742df115318bdb5a03ba4547b287ca344886b35f

SHA512
c3a8080273f39f9008370e6adec946e10641d60933c529197207756cce995a306fc2dc39eccb85493ceda12e6124ca92961b4aa0a81f7cd8d708a6ce3e4f0eab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
53e18fcf860f8d0a82b6c03b9390e09e

SHA1
417d5052627f9e0c68a31e3c172dde056fbddc2a

SHA256
114c4aadf7e1c377f9503df8317ea3de8e44fb2ef25047ddb902c1ebc0ca080b

SHA512
8c30d779e4a075e37474b5b45e4e80d40b90cd5319059185f22dd78b54c62233d27673a299c129d3743b6fada81b92d491590d23e6b8f8687205ceb428e1cd91

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
0a71d731679d29833a636a9e044d179c

SHA1
78b1e5c1a6a49b09ae6b19389d6855e868f71285

SHA256
648c51d0ab8896438ac4fdecea9badc8d6f55b85f7b4727d935f127bb8d161e6

SHA512
cdf7fe2c37fa187e34c4ff013eac10c2c6c724f0e107847bbe078810e26138124d7b404d4f0ce9e154509c01b8e4c86a86a2f708edc82f8861de83c080d0c4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1D47.bat

Filesize
722B

MD5
0e053333dcd3b23227e2606b439e9485

SHA1
ff04089b5ff9d5a2ac2145443ede93ef503c537a

SHA256
be1e048b31fc14b42d7c456b416b48cf4a51984a85cf865e52ce25d79e5f2c4f

SHA512
a0b30d5efe29186f4d43cda0c180a8e6f5bbf36641b565d9819093a7e93415e5471396b5df109541e973bc54f28607fc2f9cfbf588ccefadf3bc445b86848cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe

Filesize
97KB

MD5
713a30695b671b6e3b19b7d09f9d8409

SHA1
83916537c86d7dc1043c752f195f04fa42813afe

SHA256
6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08

SHA512
a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b6a1036696b058af5539b02f4daab0fe980243e409705718677d5e4606f028d.exe.exe

Filesize
97KB

MD5
713a30695b671b6e3b19b7d09f9d8409

SHA1
83916537c86d7dc1043c752f195f04fa42813afe

SHA256
6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08

SHA512
a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
33f5a3f989229558b91469f2b9428fac

SHA1
87f21576e885ebca692e6c047c802837b400c86d

SHA256
c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

SHA512
825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
33f5a3f989229558b91469f2b9428fac

SHA1
87f21576e885ebca692e6c047c802837b400c86d

SHA256
c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

SHA512
825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
33f5a3f989229558b91469f2b9428fac

SHA1
87f21576e885ebca692e6c047c802837b400c86d

SHA256
c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

SHA512
825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-642304425-1816607141-2958861556-1000\_desktop.ini

Filesize
9B

MD5
ec7139d5bb99bcebaf0b91c58a9ec5aa

SHA1
70404362dd74e309722fd282c3492ec95674123c

SHA256
eb17ae1b1de9e95e0d159893048f2de5c1c158467e768cc0ddbaa517c45e0582

SHA512
b0114d8f74b17836819b750cff2b590b652e04bb2dc0e9dc8bffac7ed66bd9ded03cd35abc7fc0fcd0127a994c283dcd162e97e6dd76f5a903ff59e4951dfc48

Download Submit
memory/2240-25-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-1725-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-3198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-5674-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-8374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3864-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3864-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-27-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/5048-24-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download