736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/09/2023, 21:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
Size

33KB
MD5

1053288a404474323acb4b767b58f30e
SHA1

63c2260f2d15f80bd785b0e94553e19266e0c74e
SHA256

736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb
SHA512

b1043e1829350ee61c45ceeeb3713381e974ed6cb25eacd3d1fe5fc8ac431f459eefddb5a90ee142dd8abfc0683eb342bd9fa1e234470eefdd42f1ec6992cd87
SSDEEP

768:FdO5RroZJ76739sBWstDcVgNdb7Vis/LZ+jZ5:Fde+Zk781FNdbk+0Z5

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\Z:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\Y:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\S:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\L:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\N:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\E:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\V:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\U:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\Q:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\O:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\H:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\G:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\W:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\P:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\K:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\I:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\X:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\T:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\R:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened (read-only)	\??\M:	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpenc.exe	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\MSBuild\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Program Files (x86)\Windows NT\_desktop.ini	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
File created	C:\Windows\Dll.dll	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1840	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	28
PID 2016 wrote to memory of 1840	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	28
PID 2016 wrote to memory of 1840	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	28
PID 2016 wrote to memory of 1840	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	28
PID 1840 wrote to memory of 1516	1840	net.exe	30
PID 1840 wrote to memory of 1516	1840	net.exe	30
PID 1840 wrote to memory of 1516	1840	net.exe	30
PID 1840 wrote to memory of 1516	1840	net.exe	30
PID 2016 wrote to memory of 2352	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	31
PID 2016 wrote to memory of 2352	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	31
PID 2016 wrote to memory of 2352	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	31
PID 2016 wrote to memory of 2352	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	31
PID 2352 wrote to memory of 2672	2352	net.exe	33
PID 2352 wrote to memory of 2672	2352	net.exe	33
PID 2352 wrote to memory of 2672	2352	net.exe	33
PID 2352 wrote to memory of 2672	2352	net.exe	33
PID 2016 wrote to memory of 1228	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	11
PID 2016 wrote to memory of 1228	2016	736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe
  "C:\Users\Admin\AppData\Local\Temp\736edb16db13681f70d047c063aa518480379be5d6a15c2d55bbe9594c3766cb.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1516
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
702734b3bd3f28d91e1e1d5d49c3ffb9

SHA1
50d9c620da2e7f619b1abfda4c3f186ff2c565e0

SHA256
f29fbb0c4c7cc68db579d22a0dff18305c0861379540ba9576636f684e672530

SHA512
5640d616dfff3d39ea38498cd8b52f0f077fecb2a7263c288532ce1c9dd4fa6a3c40aba7a4458486f1914a4cde137c118c0e2ebb881f9ab32095800ba024bbff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
601KB

MD5
b153ab91dec9b48f2afcb6673d593c59

SHA1
25c1888b3f029ab9e4703129a8a897fe60ca152b

SHA256
73402c55586940d2a8016c514c93aff4d737390d41eca320de713ac64f8e4ed4

SHA512
3d0477d4dc91f86da4e3ceeeb3122d8a14f5b74bf3a94bc34339f947f00c98948645ce7d9aff80b26ce4877ea2293a576c7b1136bb2e2f80dc20b213864469dd

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
3eeec7dea3ac1162b9162456af69866a

SHA1
16c2834b9be250dc811786852a09b76283db9b91

SHA256
ab9c92e5c7ef90f6832d510478e4b6c1fef1e24ab6ca2410068e0d4f806a0f69

SHA512
ec4eb8441c1d64b7fde03bb4da57e562553b3db6a70096507b79c4c5be406b97ff8662cd8b14b7faef125b0ecfeda1d7d8b33a723305969ff5005c40987a37ab

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3849525425-30183055-657688904-1000\_desktop.ini

Filesize
8B

MD5
621383aab05ec88688f5cce893e26550

SHA1
03967cdd69bd47cd2ccede557778546ef7c015eb

SHA256
0992c9b2d0872dece2ee570393745ccb6fbeadc2ded371a1f5406447aa872360

SHA512
085e0e3da3ad9ebb7b05ad58803f979ad4873337f91e4e0f209756ecf02b5050e33c3ad4a38212308e8beaf1f81625003f28bdc52d41cb2853e8f5a7eeb7a18b

Download Submit
memory/1228-3-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2016-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-1811-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-4060-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download