662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
Size

33KB
MD5

adfb2896768b260bb58be742e5898c08
SHA1

798c1ab25bfbe4374ef1cf0b2f016ea292be51d6
SHA256

662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42
SHA512

291486334fc702ecfb300688544d2063f615de93a4b9e368a1a1b36cfe307118842e2d967a5e99d0c847e66a0fc4e50ec667c4efe37e769093b72aef8de2c534
SSDEEP

768:zjk8aGFO5RroZJ76739sBWsUx0iGZa8x6f+:zjXNe+Zk78MHG76f

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\K:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\I:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\U:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\P:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\N:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\J:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\H:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\G:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\E:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\Z:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\W:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\R:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\L:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\Q:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\O:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\M:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\X:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\V:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\T:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened (read-only)	\??\S:	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
File created	C:\Windows\Dll.dll	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2964	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	28
PID 2900 wrote to memory of 2964	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	28
PID 2900 wrote to memory of 2964	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	28
PID 2900 wrote to memory of 2964	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	28
PID 2964 wrote to memory of 2024	2964	net.exe	30
PID 2964 wrote to memory of 2024	2964	net.exe	30
PID 2964 wrote to memory of 2024	2964	net.exe	30
PID 2964 wrote to memory of 2024	2964	net.exe	30
PID 2900 wrote to memory of 2224	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	31
PID 2900 wrote to memory of 2224	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	31
PID 2900 wrote to memory of 2224	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	31
PID 2900 wrote to memory of 2224	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	31
PID 2224 wrote to memory of 2040	2224	net.exe	33
PID 2224 wrote to memory of 2040	2224	net.exe	33
PID 2224 wrote to memory of 2040	2224	net.exe	33
PID 2224 wrote to memory of 2040	2224	net.exe	33
PID 2900 wrote to memory of 1232	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	13
PID 2900 wrote to memory of 1232	2900	662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe
  "C:\Users\Admin\AppData\Local\Temp\662b4f7e55dc49967f819a68f803cbe56757fd7a74eec8dc02a1c0f8d94a8d42.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
601KB

MD5
591646abc341847aa6042581dbfa8160

SHA1
017337cad3ef14c7b4ed9266eb2113c0e5dd056d

SHA256
c4e60605eb109a937d90b8183c9292125dc5475cccb7a655372924c02c63b9d6

SHA512
f619463af33b7f2bfb91d59fe6d87596ed9ad38c9af904e939d60cac2c3dbd3c2ef37f517afd9b303bb72d295e3ca93df9630e2711b06c24da9537ebe0cbf285

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
3c4e379d66eccfbb03a1e544b34e67bb

SHA1
50e7e23a3c9dca8dcaffb07e3b887c709c8028f8

SHA256
11b20f2f73989bae710405c1d740ac3de82ec715b985836e2452a0ceb1562255

SHA512
e4aa10b35242333e183cf8043d43fe1ed65acdfc600e9d7b20644d678c13b910abfca13acb88e456397868b6c7b7bace040447ea116413364f7ed06013bd1229

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-86725733-3001458681-3405935542-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/1232-3-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2900-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-1263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-3740-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-4059-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download