f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 21:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
Size

6.5MB
MD5

77ed604858741f26749c73bb7a8d743d
SHA1

dc4ef9aa00934e555b3ff2e337af30e65b8b90ba
SHA256

f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610
SHA512

189d9e6f5d597aebcd8e6a7776b449e798ac4bb21256dafe2d400f57aa1ca5945327621bcf7cbbbda331da1220dbb908974cf05dcb64dbeaee522501a19d8630
SSDEEP

196608:loCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKsg:WjUtYj6gYPYp

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4900	Logo1_.exe
4760	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BA022FB8-9789-4915-98CD-5E18FBB12FBA}\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
File created	C:\Windows\Logo1_.exe	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe
4900	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3796	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	85
PID 4192 wrote to memory of 3796	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	85
PID 4192 wrote to memory of 3796	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	85
PID 3796 wrote to memory of 1280	3796	net.exe	87
PID 3796 wrote to memory of 1280	3796	net.exe	87
PID 3796 wrote to memory of 1280	3796	net.exe	87
PID 4192 wrote to memory of 4104	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	89
PID 4192 wrote to memory of 4104	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	89
PID 4192 wrote to memory of 4104	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	89
PID 4192 wrote to memory of 4900	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	91
PID 4192 wrote to memory of 4900	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	91
PID 4192 wrote to memory of 4900	4192	f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe	91
PID 4900 wrote to memory of 676	4900	Logo1_.exe	92
PID 4900 wrote to memory of 676	4900	Logo1_.exe	92
PID 4900 wrote to memory of 676	4900	Logo1_.exe	92
PID 4104 wrote to memory of 4760	4104	cmd.exe	94
PID 4104 wrote to memory of 4760	4104	cmd.exe	94
PID 676 wrote to memory of 5048	676	net.exe	95
PID 676 wrote to memory of 5048	676	net.exe	95
PID 676 wrote to memory of 5048	676	net.exe	95
PID 4900 wrote to memory of 436	4900	Logo1_.exe	96
PID 4900 wrote to memory of 436	4900	Logo1_.exe	96
PID 4900 wrote to memory of 436	4900	Logo1_.exe	96
PID 436 wrote to memory of 2932	436	net.exe	98
PID 436 wrote to memory of 2932	436	net.exe	98
PID 436 wrote to memory of 2932	436	net.exe	98
PID 4900 wrote to memory of 3140	4900	Logo1_.exe	39
PID 4900 wrote to memory of 3140	4900	Logo1_.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
  "C:\Users\Admin\AppData\Local\Temp\f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CB4.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe
      "C:\Users\Admin\AppData\Local\Temp\f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4760
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5048
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
9b42d2515f141ba72133781a76736bb4

SHA1
65d1df162ae4fa96151e45b327a302679e0ac69e

SHA256
9c2141e6127498e0d147e6a21813e538b56e4e37b10331a48325dcf5125d7385

SHA512
21598e1d26a36e05bea270588af62b0c2c9ba5de7c993af502b6565fb43aa8b9a2d02f5891c1d14a13c114c0d79517d864f6df008f9c4b4b6cd0d0a3d6b6518f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
0e855462452e2a8fb595c3b9fdaccf81

SHA1
c9fa88a45a97d4c3ca56715c8d932fa034023924

SHA256
eb484d151da686a9baaac7602faad10e1ea4801d31ec35ced62102c409f4dccf

SHA512
87a263501b199cdc70dc4a1dd6c1646d8e033a014ade9f72ef767ea539d3df86ae0122785903ee982bff68b0a5f0ca321f9e3b8ce7a7bc2bdaec524b9ab1bca3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
3eeec7dea3ac1162b9162456af69866a

SHA1
16c2834b9be250dc811786852a09b76283db9b91

SHA256
ab9c92e5c7ef90f6832d510478e4b6c1fef1e24ab6ca2410068e0d4f806a0f69

SHA512
ec4eb8441c1d64b7fde03bb4da57e562553b3db6a70096507b79c4c5be406b97ff8662cd8b14b7faef125b0ecfeda1d7d8b33a723305969ff5005c40987a37ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6CB4.bat

Filesize
722B

MD5
c8cf5c47397657b801631651c0bbbf4a

SHA1
3ef6b0dc8fd183145c8b2a312647b43807f0570e

SHA256
5e9eae72958ceebb854407e931c61d2cea9f06c8460e868dc683e4ca638a9dd2

SHA512
335d9bb4d132e5066dcf3c8868f578616d5a1abf5eb154b34e2a612199f081b53e9deb8ea3e1861d6f46a97c0f91e13e69cc73994ecea039b07f30af939535e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.4760.update

Filesize
9KB

MD5
78e591860832608ebc49dddd9fc0e1db

SHA1
d927f135f15190f95805dd8bfe6df0de20dfff53

SHA256
ccb5f71ce184e151412a8f04144011ba4da50371c20ef12778d276577f691f9a

SHA512
57f334f57f0aaba4238e7ce834784dece8e81cceae248999f1a45aa8fed0b86fe20f3d6ac6fb3649cf653e9f65f3b35695e203f1d6ed1e54e073df10fe008fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe

Filesize
6.4MB

MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\f471793ab6fe448751cd749a59a876107e6acadd8177e39550724a2de7d63610.exe.exe

Filesize
6.4MB

MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\choco.exe

Filesize
166KB

MD5
37aa138ce5eea2786824f928cf30f170

SHA1
064e511839ab2c12afcf986e7918b742b5a88cad

SHA256
79a69cdb4fc12b1cec4916ff765eca7f6d47a7748c8c02ea997ec973ac7bed82

SHA512
26aa27f496149cd6e8140a42212cd601345565dca8830e085389a98ee2aef35f55188f8492fc9ce6fce34e5d1ba424ed2046a52bc22d864678703229f7d08341

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\chocolatey.exe

Filesize
166KB

MD5
49f24f5e641ffabf1d93894f04e4e98a

SHA1
729af7f4bd086c2c76818e9da7d07e3576376944

SHA256
858cb349f862263f680c994b887d538cf8fa62c5cacecd279aac53a5758c277d

SHA512
aa0536661e7568affa653f64ed15ae3ef61cc83155ed9a5393817356be09eae73eca803b38d40901ba0ac7ca7531c8296870ed35e541243f8ff669ff1a022671

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cinst.exe

Filesize
166KB

MD5
cb731a861f60f22fdb77e414146f5c52

SHA1
3f4f2880f57b67a328f1a24a8dbf64beaff4271d

SHA256
8eedc3d8d1821b5096c7d2adc808817c7f27e4b4c19a1e7d901b024d4ccfa0fd

SHA512
4568cc8db933fd8554e991f42405b9f406c627a431eefa2db84f11a53ebfcc6fc3d421f0dfa3f6b341d99e451eb18f30610cc40ac77d2abe88f22b915aa4e038

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\clist.exe

Filesize
166KB

MD5
5646753f4a5473cdf2aabed19402b0f4

SHA1
28a911b74c23bce09bffdce27e79237ef4a0ee47

SHA256
43de6d4435a6466c56472495c2b4cfdc85d15c7814c169a15c4b72b19e02c0c1

SHA512
a1187cf5a6af08463d44fab624d310ee321c19d4a60cd0bdbbdf86429e5a4738cdd9fae76589c900311ee5c4fba50d5ad33e67b977d02d898ace07a331f6ebbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpack.exe

Filesize
166KB

MD5
c8a3587e6376aaa01dd70e5b09876bc7

SHA1
7c0c4327233f39bcd25fb192472261b54e29303a

SHA256
558b490507b13b46942a3a7b5f8c9835e1615a4a99759a00f1b80f7c27f54c73

SHA512
8ce91a797b136cdada480e5deaeea3e1a976417252554d232fd0594ac63a77fec984f376ef77e9da054ed03990c4e7ec877ebc0c43af716c2dadabbf77beea38

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe

Filesize
166KB

MD5
67b8052122ab4e94bd482f452a922e3b

SHA1
66be9f586ee1808dd016606e0cddcc6fa632683b

SHA256
e0ee8208dfa90c459fc00589d56c196719c4662c2993505da93ce1360dce1d5e

SHA512
835077405ff0a3ec3dbddddacf91f4a4fae2ee098b1e787be46740fcfa75e4c34a42483ecbd9d7b1ce8539f86ab2d5db9f73402826a4f3dd9abde17686096932

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cuninst.exe

Filesize
166KB

MD5
c296c1e9bed61207b0280c844c4e1a81

SHA1
a2117864bafc20afaf405ffe5230536a4ef0dd42

SHA256
43372c8fffda574021c6f4ab1d66e6f052ccfe4e5c69cc4dba26d5d3e62e609c

SHA512
09b78848b32d65e346021c61aab27d5056a5274285eed722bec64920289151dd38264e8cbca2280e3fe3ae53cbf7524f35cbad934a346758c8e5a8a4326be917

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cup.exe

Filesize
166KB

MD5
c58271c43366331fb4ab55ca028bde64

SHA1
978f20d233fa83ba8384c71b81d74b12c577680f

SHA256
5ec818e3305a9ded032d400ed45cd6a955b1ae898d43d417d9d13038699338d3

SHA512
4fe6727c08da2dbf172ca5253b65281d020497c4cb28611b3468fa89a4d1d3d158b9e30490036032fb2c68dfde8bfee0d08d1eb6468491b41c46c236f4e4c5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cver.exe

Filesize
166KB

MD5
000b2829736cab26fa0298e71d82054d

SHA1
08388b1b589a33761a7fe9b248764284654a218a

SHA256
0fe143770b15607ba5bc36a447bf2f462883d3ae87fb02337741ced4adbee46c

SHA512
a9dac5c79e7825dc21e8eb385009c14230b128dfc010bbc0514406b54fa2a6a822102d83e6719ecac15ae27eb45e3d5fb15d9849c3d4e4fa16f9a1b7c94d2f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\7z.exe

Filesize
317KB

MD5
8a49a92e3939293445f911602492d907

SHA1
7e427565daf9496220dbe6ff5bc25ad32a266b2d

SHA256
a6389755cfa450927930aef5c04531efcfe56e7b3717f40d1de17459d3b768ba

SHA512
5431e81c1f41310ce59dde2eac3fa1cd059dd8740ff8042c3219cd1a5e2503a43dc14f94489079b7fb3ebf0e853e602a8de7ce9d3076b970b41023aa5124f25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\checksum.exe

Filesize
61KB

MD5
75f3c39414ff6750521933e6068fe3cc

SHA1
abe179ef760e9e68bb394a0882cb1f19b1224528

SHA256
0f8267a895f0602ad85180d9fe56e549e384a95ac9caaba076139ef38119f1a2

SHA512
e27a44691c53cb54d6cde4c9d6cb85051f1b801e2c7f11ec83910db4a361be11ecc0f4dfb77f4482807c63dab39615034df1b13c0fb1e8fd4539962e388513f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\shimgen.exe

Filesize
228KB

MD5
d300b63493c004813b45d8b21dd27535

SHA1
4c2abc215848fb27b3a18c5829a4b79bf5731107

SHA256
05b9e11ac705bebf06ecf46cd8863e60bcd5933650c947a1c01399b52fbe7288

SHA512
f38180852c9b94c29ed9343d984bf4ffcd40a2409ef3e44fdf6bad6d3230c52ac15b530e93ac1794c145c90d04989f89d471500ab9b07d7aa4cf9686c626a6ff

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
14c6ac5740ac8df6d17331d09112610b

SHA1
198c3fc3e017770cd1a63cd0d819815b0e37ae5c

SHA256
053a2e6929f5fb5df8628b63b6aca40394ddeda49b5cde05d7b4c3e851726c8e

SHA512
b8a629c25255b4088f523d516b56bc4bd2330630c5529336a545f2d1f5e14b1ca27a67d95729120f4c947f722861cea64891e93c00c1b47c7af1db8101e126e6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
14c6ac5740ac8df6d17331d09112610b

SHA1
198c3fc3e017770cd1a63cd0d819815b0e37ae5c

SHA256
053a2e6929f5fb5df8628b63b6aca40394ddeda49b5cde05d7b4c3e851726c8e

SHA512
b8a629c25255b4088f523d516b56bc4bd2330630c5529336a545f2d1f5e14b1ca27a67d95729120f4c947f722861cea64891e93c00c1b47c7af1db8101e126e6

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
14c6ac5740ac8df6d17331d09112610b

SHA1
198c3fc3e017770cd1a63cd0d819815b0e37ae5c

SHA256
053a2e6929f5fb5df8628b63b6aca40394ddeda49b5cde05d7b4c3e851726c8e

SHA512
b8a629c25255b4088f523d516b56bc4bd2330630c5529336a545f2d1f5e14b1ca27a67d95729120f4c947f722861cea64891e93c00c1b47c7af1db8101e126e6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\_desktop.ini

Filesize
8B

MD5
621383aab05ec88688f5cce893e26550

SHA1
03967cdd69bd47cd2ccede557778546ef7c015eb

SHA256
0992c9b2d0872dece2ee570393745ccb6fbeadc2ded371a1f5406447aa872360

SHA512
085e0e3da3ad9ebb7b05ad58803f979ad4873337f91e4e0f209756ecf02b5050e33c3ad4a38212308e8beaf1f81625003f28bdc52d41cb2853e8f5a7eeb7a18b

Download Submit
memory/4192-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-20-0x000000001B8D0000-0x000000001B920000-memory.dmp

Filesize
320KB

Download
memory/4760-129-0x00007FFE8C620000-0x00007FFE8D0E1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-26-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/4760-25-0x00007FFE8C620000-0x00007FFE8D0E1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-22-0x0000000002D80000-0x0000000002D9E000-memory.dmp

Filesize
120KB

Download
memory/4760-21-0x000000001B9E0000-0x000000001BA56000-memory.dmp

Filesize
472KB

Download
memory/4760-14-0x00000000005F0000-0x0000000000C64000-memory.dmp

Filesize
6.5MB

Download
memory/4900-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-5352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-1804-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-8916-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download