5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
Size

101KB
MD5

1f1ce626a037ca719a1e6eb08881ac70
SHA1

cb9c5c22ce1f401d68c8faf841492114eb58ca33
SHA256

5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122
SHA512

3ae0e5356a3f1ee24137e6701c984e8306d1023082e0a22de5366cb231094acaa071f2893e3406a097962609aba48a0a262d49c195026972f17ff88fcf9aeb98
SSDEEP

1536:VYuIHFe+Zk77RNyvb0LzszE83C8mWtwXaa8NPI9j+RedcP01ic4Brg:VYuIHFe+aX3yQf8zmWtwXwKRj1EBrg

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
956	Logo1_.exe
4120	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe
956	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4208	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	83
PID 5100 wrote to memory of 4208	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	83
PID 5100 wrote to memory of 4208	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	83
PID 4208 wrote to memory of 1216	4208	net.exe	85
PID 4208 wrote to memory of 1216	4208	net.exe	85
PID 4208 wrote to memory of 1216	4208	net.exe	85
PID 5100 wrote to memory of 3520	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	86
PID 5100 wrote to memory of 3520	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	86
PID 5100 wrote to memory of 3520	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	86
PID 5100 wrote to memory of 956	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	87
PID 5100 wrote to memory of 956	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	87
PID 5100 wrote to memory of 956	5100	5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe	87
PID 956 wrote to memory of 3056	956	Logo1_.exe	88
PID 956 wrote to memory of 3056	956	Logo1_.exe	88
PID 956 wrote to memory of 3056	956	Logo1_.exe	88
PID 3056 wrote to memory of 2728	3056	net.exe	91
PID 3056 wrote to memory of 2728	3056	net.exe	91
PID 3056 wrote to memory of 2728	3056	net.exe	91
PID 3520 wrote to memory of 4120	3520	cmd.exe	92
PID 3520 wrote to memory of 4120	3520	cmd.exe	92
PID 3520 wrote to memory of 4120	3520	cmd.exe	92
PID 956 wrote to memory of 4504	956	Logo1_.exe	93
PID 956 wrote to memory of 4504	956	Logo1_.exe	93
PID 956 wrote to memory of 4504	956	Logo1_.exe	93
PID 4504 wrote to memory of 2644	4504	net.exe	95
PID 4504 wrote to memory of 2644	4504	net.exe	95
PID 4504 wrote to memory of 2644	4504	net.exe	95
PID 956 wrote to memory of 3212	956	Logo1_.exe	52
PID 956 wrote to memory of 3212	956	Logo1_.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
  "C:\Users\Admin\AppData\Local\Temp\5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90D6.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe
      "C:\Users\Admin\AppData\Local\Temp\5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe"
      4⤵
      Executes dropped EXE
      PID:4120
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
867140655369703de1d7684659b73119

SHA1
a7a0716dbc9cb0a32469ba9c7e295d80bf268a83

SHA256
bca1c6682f0a0557d68eb653742df115318bdb5a03ba4547b287ca344886b35f

SHA512
c3a8080273f39f9008370e6adec946e10641d60933c529197207756cce995a306fc2dc39eccb85493ceda12e6124ca92961b4aa0a81f7cd8d708a6ce3e4f0eab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
53e18fcf860f8d0a82b6c03b9390e09e

SHA1
417d5052627f9e0c68a31e3c172dde056fbddc2a

SHA256
114c4aadf7e1c377f9503df8317ea3de8e44fb2ef25047ddb902c1ebc0ca080b

SHA512
8c30d779e4a075e37474b5b45e4e80d40b90cd5319059185f22dd78b54c62233d27673a299c129d3743b6fada81b92d491590d23e6b8f8687205ceb428e1cd91

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
0a71d731679d29833a636a9e044d179c

SHA1
78b1e5c1a6a49b09ae6b19389d6855e868f71285

SHA256
648c51d0ab8896438ac4fdecea9badc8d6f55b85f7b4727d935f127bb8d161e6

SHA512
cdf7fe2c37fa187e34c4ff013eac10c2c6c724f0e107847bbe078810e26138124d7b404d4f0ce9e154509c01b8e4c86a86a2f708edc82f8861de83c080d0c4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a90D6.bat

Filesize
722B

MD5
f0653182b9c4d408a97b4dc2a112e10b

SHA1
0c643df686ffd12319c1ace85404a2b756212930

SHA256
9a26340032ae7cc432fbebd30f0477c31a3526df1ac83d0bf5da050e6ac56072

SHA512
807e1bc2393a02de5587efffce8ba7b4395face016f4d8257b5695c0548830adb38aa05eec74b06b425174f134f7fad8a0cb5cb59fd40ee3f1b56170a595d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe

Filesize
68KB

MD5
48335cfbe6a9bdaa2492ca1320b70a3a

SHA1
6d3c3d659e3718a0b56f52c9d4386d55d7672b97

SHA256
4ec34f1d893e8cc02f669fb5eb329bbcc5374bd7e7284e8fd86fbc29d2ffeb4d

SHA512
9eaf3b380449ab1d2b4b6371336fc71f6a43eee0295de012d0859e7f3b80a87f9d8316b0e65d4ca450630ee17b95c64e79e594bfe27fb3965917b0c5bc2d1b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\5be21944ad0ac007851bf02141c1ebb6cc4afaec27dd8e1984c8b61c6d80c122.exe.exe

Filesize
68KB

MD5
48335cfbe6a9bdaa2492ca1320b70a3a

SHA1
6d3c3d659e3718a0b56f52c9d4386d55d7672b97

SHA256
4ec34f1d893e8cc02f669fb5eb329bbcc5374bd7e7284e8fd86fbc29d2ffeb4d

SHA512
9eaf3b380449ab1d2b4b6371336fc71f6a43eee0295de012d0859e7f3b80a87f9d8316b0e65d4ca450630ee17b95c64e79e594bfe27fb3965917b0c5bc2d1b58

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
33f5a3f989229558b91469f2b9428fac

SHA1
87f21576e885ebca692e6c047c802837b400c86d

SHA256
c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

SHA512
825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
33f5a3f989229558b91469f2b9428fac

SHA1
87f21576e885ebca692e6c047c802837b400c86d

SHA256
c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

SHA512
825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
33f5a3f989229558b91469f2b9428fac

SHA1
87f21576e885ebca692e6c047c802837b400c86d

SHA256
c8c7b309235cda4a03d692f4b6292687a5dd14edc793968d525697f0fd253e4c

SHA512
825e45c1d6ffe5a95ceb47011a762f192431edea8aa4f74c85f35db6f61db6ba9803faeaa45abaa17ef051963edb902c837758257e7e8e04f6e34455ce8a0b50

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\_desktop.ini

Filesize
9B

MD5
2326d479b287193a70f520700dc8d23e

SHA1
afea66d3788a50debd6f5d4c9dd51f68a4477e64

SHA256
95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

SHA512
cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

Download Submit
memory/956-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-1293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-5006-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-8739-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download