3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
Size

66KB
MD5

3f24b4eef4a2bc0b725f8aff5cac54d2
SHA1

361044ee93bef703b6112ec1e735c22a5d15ddb5
SHA256

3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6
SHA512

075066d5cc4ea8168efa2b081456a804ad3cad6f24162b537e5064cdcb3857fbf532e8caa3076cb047a43311787ac5655d09eb80310c27c6c6db6bf874d387d9
SSDEEP

1536:PUaYzMXqtGNttyUn01Q78a4R8b4yzwC132n6wkj7:PUaY46tGNttyJQ7KR8b4yzjwkH

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1636	Logo1_.exe
844	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
File created	C:\Windows\Logo1_.exe	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe
1636	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1868	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	85
PID 4488 wrote to memory of 1868	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	85
PID 4488 wrote to memory of 1868	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	85
PID 1868 wrote to memory of 3176	1868	net.exe	87
PID 1868 wrote to memory of 3176	1868	net.exe	87
PID 1868 wrote to memory of 3176	1868	net.exe	87
PID 4488 wrote to memory of 1320	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	89
PID 4488 wrote to memory of 1320	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	89
PID 4488 wrote to memory of 1320	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	89
PID 4488 wrote to memory of 1636	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	91
PID 4488 wrote to memory of 1636	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	91
PID 4488 wrote to memory of 1636	4488	3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe	91
PID 1636 wrote to memory of 3740	1636	Logo1_.exe	92
PID 1636 wrote to memory of 3740	1636	Logo1_.exe	92
PID 1636 wrote to memory of 3740	1636	Logo1_.exe	92
PID 3740 wrote to memory of 4556	3740	net.exe	94
PID 3740 wrote to memory of 4556	3740	net.exe	94
PID 3740 wrote to memory of 4556	3740	net.exe	94
PID 1320 wrote to memory of 844	1320	cmd.exe	95
PID 1320 wrote to memory of 844	1320	cmd.exe	95
PID 1320 wrote to memory of 844	1320	cmd.exe	95
PID 1636 wrote to memory of 4880	1636	Logo1_.exe	97
PID 1636 wrote to memory of 4880	1636	Logo1_.exe	97
PID 1636 wrote to memory of 4880	1636	Logo1_.exe	97
PID 4880 wrote to memory of 3540	4880	net.exe	99
PID 4880 wrote to memory of 3540	4880	net.exe	99
PID 4880 wrote to memory of 3540	4880	net.exe	99
PID 1636 wrote to memory of 3180	1636	Logo1_.exe	46
PID 1636 wrote to memory of 3180	1636	Logo1_.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
  "C:\Users\Admin\AppData\Local\Temp\3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8618.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe
      "C:\Users\Admin\AppData\Local\Temp\3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe"
      4⤵
      Executes dropped EXE
      PID:844
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4556
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
fe11b20f53ea91a46b86e6ccbefdaaf7

SHA1
b2c63378cc590fc83db222edcf1fcb3096fa7c1a

SHA256
232ceb1b57c5c372f082ecdb506a8132e74df5a2a56b500425dab0403c44f8ed

SHA512
38b28782a035aefb6dfb823139955b53952beb8487e095c3ebf09937339dcd8d921bd131a151098f3e587f0526e565929fc56a54e20d3a8da81e38da0d54426d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
d81ab1870a4be8961cba7bd02d012bc7

SHA1
bb69acf9fb6f4bda16e7dd6dba515e47b83f4f47

SHA256
8c65ae85f4e3fa7b3f8da3f23cd7f251695b6f2423b8d069c65043f020e41715

SHA512
e2e11fe0abc53fc2f67a86d133c913150cbc89cf68a9a0de2964346b64b2f191f2772650db4cb7be2d65eab6142219953aeaf66fc347359d5ee9d00ff69a6628

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
db98da017417f3bfea4d9a1a97b4a073

SHA1
f6e7d57d64df537b7de4e1b9ff2a1d3f092c02b6

SHA256
3a827199db204413824f3c15910bf406ae5d9a90511f6baadba95392222b2e37

SHA512
fcd8dd3d92092538483006815578f95ed754562e3b215dc9d5fc82ff321a29c459d52b5babe7d82213385b842c0df4e7afdf745364e4a6dab2306bc9ad4798f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8618.bat

Filesize
722B

MD5
2b5301e24d821c020f4bd9333ee8f5d8

SHA1
1a1412540f795b58a86e943e6276d61bee794cf0

SHA256
015934a2a7d266a91eb9943a6ec41e3cd3929a8a8b6103cfb45efff48b9c12eb

SHA512
7eddcdbf3c336b16f9b029c98f7bd26b647617bce155a8a8b9c7cf620883f3e3ae1863b9d0ca90bd0a45bf1d31a78269b7d2a3fd6d429df15e8cff8dcf029668

Download Submit
C:\Users\Admin\AppData\Local\Temp\3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe

Filesize
33KB

MD5
e27df2dd35f9e988ae5eb765cdf26dcf

SHA1
c21252dbf9e06e2d4492c3bbd6c29c41b5eb8440

SHA256
cdd28c680dd5ccaa7cc5accc72825a3705747717735e0a6a3f446bfdcb27b044

SHA512
8ea4e39586c42f983e07ab887e04147ab43757aa605997ad8487c64adbef51740ecc62b7030bbebf3bd962c65c1e66ee24d6d7e780b3e7ce0344f2bf2194ed50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3279f7f7db043024f5a371e3b2f966ca6d5564fd4579330801d39f0b905cc8b6.exe.exe

Filesize
33KB

MD5
e27df2dd35f9e988ae5eb765cdf26dcf

SHA1
c21252dbf9e06e2d4492c3bbd6c29c41b5eb8440

SHA256
cdd28c680dd5ccaa7cc5accc72825a3705747717735e0a6a3f446bfdcb27b044

SHA512
8ea4e39586c42f983e07ab887e04147ab43757aa605997ad8487c64adbef51740ecc62b7030bbebf3bd962c65c1e66ee24d6d7e780b3e7ce0344f2bf2194ed50

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
f039efbae71428062652cf410df220a0

SHA1
38ab47994a9a006ba2118154109d75f77f740668

SHA256
5068b4fe72c48376f0c4a2989303283742a22bd4a17e8d385c16e3ae461331a2

SHA512
80feea563658e57871af814d822489c3bb11bd119c77d89faa8a33fd10d487e009c15a3c8ec65bd7af1e625d3cdf0ed06f6d89602eeb46c56c3240f3b141238c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
f039efbae71428062652cf410df220a0

SHA1
38ab47994a9a006ba2118154109d75f77f740668

SHA256
5068b4fe72c48376f0c4a2989303283742a22bd4a17e8d385c16e3ae461331a2

SHA512
80feea563658e57871af814d822489c3bb11bd119c77d89faa8a33fd10d487e009c15a3c8ec65bd7af1e625d3cdf0ed06f6d89602eeb46c56c3240f3b141238c

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
f039efbae71428062652cf410df220a0

SHA1
38ab47994a9a006ba2118154109d75f77f740668

SHA256
5068b4fe72c48376f0c4a2989303283742a22bd4a17e8d385c16e3ae461331a2

SHA512
80feea563658e57871af814d822489c3bb11bd119c77d89faa8a33fd10d487e009c15a3c8ec65bd7af1e625d3cdf0ed06f6d89602eeb46c56c3240f3b141238c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1926387074-3400613176-3566796709-1000\_desktop.ini

Filesize
10B

MD5
f72d794bbb322d5865b8074038cb8900

SHA1
9e6e5d1e3714686f86670ef6b5a8810d9bb04e44

SHA256
0a4ac5e7118bf826da89694e99e1334547e87fa7608a0e7c83df379d8cd04aa6

SHA512
12992cc499ce1dbb2641a279ce148111e4da49be595af37fb58bdb3870effa7bb81b720df0faf420500ab9ea52a791b425ba77fd1a4547ef3e0665a199ba4cea

Download Submit
memory/1636-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-1393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-5176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-8733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download